This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 53%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGT%3C/text%3E%3C/svg%3E)
In SP2013, we are migrating users from Windows Claims to Trusted Identity provider(SAML).
I used the below script for registering token issuer,mapping and user migration:
$siteRealm = "urn:sharepoint:realmtst"
$wsfedurl="https://login.microsoftonline.com/ea80952e-a476-42d4-aaf4-5457852b0f7e/wsfed"
$filepath="F:\Temp\Cert.cer"
$adfsCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "ID-PROVIDER" -Certificate $adfsCert
$ap = New-SPTrustedIdentityTokenIssuer -Name "ID-PROVIDER" -Description "ID-PROVIDER Functions Default" -realm $siteRealm -ImportTrustCertificate $adfsCert -SignInUrl $wsfedurl -UseDefaultConfiguration -IdentifierClaimIs EMAIL -RegisteredIssuerName $siteRealm
$realm = "urn:sharepoint:realmtst"
$wsfedurl="https://login.microsoftonline.com/ea80952e-a476-42d4-aaf4-5457852b0f7e/wsfed"
$filepath="F:\Temp\Cert.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "ID-PROVIDER" -Certificate $cert
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "E-Mail Address" -SameAsIncoming [
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming [
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming [
New-SPTrustedIdentityTokenIssuer -Name "ID-PROVIDER" -Description "Claims Authentication " -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 -SignInUrl $wsfedurl -IdentifierClaim $map1.InputClaimType -ClaimProvider "Claim-Provider"
$ap= Get-SPTrustedIdentityTokenIssuer "ID-PROVIDER"
$ap.UseWReplyParameter = $true
$ap.Update()
$wa = Get-SPWebApplication "WebAppURL"
$tp =Get-SPTrustedIdentityTokenIssuer "ID-PROVIDER"
Convert-SPWebApplication -id $wa -To CLAIMS-TRUSTED-DEFAULT -From CLAIMS-WINDOWS -TrustedProvider $tp -RetainPermissions
Convert-SPWebApplication command got completed successfully. I checked and verified that all existing users in the web application have migrated to correct claims identity now, that is, "i:05.t|id-provider|UserEmail". However when they try to access the site, they get access denied.
But if I add the same user as a new user to the site collection, the user is able to access the site without any issue.
I'm not sure what mistake I did,as new users are able to access but the existing/migrated users are not able to access. Can someone guide me? Perhaps some changes to web.config file?
I am currently looking into this issue and will give you an update as soon as possible.
Thank you for your understanding and support.
Hi @George Thomas
I find an article about migrating users from Windows Claims to Trusted Identity provider(SAML) without using powershell:
https://adamsorenson.com/sharepoint-20132016-migrate-from-windows-claims-to-adfs/
If you want to get a certain confirmation, I suggest you open a ticket with Microsoft to confirm.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.