In SP2013, we are migrating users from Windows Claims to Trusted Identity provider(SAML).
I used the below script for registering token issuer,mapping and user migration:
$siteRealm = "urn:sharepoint:realmtst"
$wsfedurl="https://login.microsoftonline.com/ea80952e-a476-42d4-aaf4-5457852b0f7e/wsfed"
$filepath="F:\Temp\Cert.cer"
$adfsCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "ID-PROVIDER" -Certificate $adfsCert
$ap = New-SPTrustedIdentityTokenIssuer -Name "ID-PROVIDER" -Description "ID-PROVIDER Functions Default" -realm $siteRealm -ImportTrustCertificate $adfsCert -SignInUrl $wsfedurl -UseDefaultConfiguration -IdentifierClaimIs EMAIL -RegisteredIssuerName $siteRealm
$realm = "urn:sharepoint:realmtst"
$wsfedurl="https://login.microsoftonline.com/ea80952e-a476-42d4-aaf4-5457852b0f7e/wsfed"
$filepath="F:\Temp\Cert.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "ID-PROVIDER" -Certificate $cert
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "E-Mail Address" -SameAsIncoming [
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming [
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming [
New-SPTrustedIdentityTokenIssuer -Name "ID-PROVIDER" -Description "Claims Authentication " -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 -SignInUrl $wsfedurl -IdentifierClaim $map1.InputClaimType -ClaimProvider "Claim-Provider"
$ap= Get-SPTrustedIdentityTokenIssuer "ID-PROVIDER"
$ap.UseWReplyParameter = $true
$ap.Update()
$wa = Get-SPWebApplication "WebAppURL"
$tp =Get-SPTrustedIdentityTokenIssuer "ID-PROVIDER"
Convert-SPWebApplication -id $wa -To CLAIMS-TRUSTED-DEFAULT -From CLAIMS-WINDOWS -TrustedProvider $tp -RetainPermissions
Convert-SPWebApplication command got completed successfully. I checked and verified that all existing users in the web application have migrated to correct claims identity now, that is, "i:05.t|id-provider|UserEmail". However when they try to access the site, they get access denied.
But if I add the same user as a new user to the site collection, the user is able to access the site without any issue.
I'm not sure what mistake I did,as new users are able to access but the existing/migrated users are not able to access. Can someone guide me? Perhaps some changes to web.config file?