SharePoint Check Permissions on site permissions page works intermittently with SAML claims Auth..
Came Across an interesting situation , where when we use "Check Permissions" to find out permissions of user on a SharePoint site , it would Show as "None" & then work occasionally work without any changes being done to permissions in SharePoint or User account . This started happening after customer Implemented ADFS for SAML authentication on this Specific Web-application .
Here is the scenario for the setup
You setup ADFS SAML authentication for a Sharepoint Web-application. The ADFS is configured to use LDAP attributes as claims with following being used
Identity claim : Email Address
Role : Token-groups -Unqualified Names
Permissions were defined by Means of End users being added to Active Directory groups & these being indeed added to Inbuilt Sharepoint Groups .
Note : While adding an AD group to a Sharepoint Group , AD Groups Role Claims was Selected.
Interestingly One day you go check effective permissions for a User they show up but the very next day they don't .
Here is what is happening in the background …
When we perform the check permissions, we call the spite constructor with the user token we have for the desired permission check. Certain information is passed through by the Identity provider (like group memberships) and only exists on the SharePoint side in the token.
This token will not contain the group membership if either the user is not in the userinfo table --- ( Hasn't logged in Yet to the site )
if the ExternalToken stored by SharePoint is expired or incomplete (does not contain group membership). The only way to rebuild the token is by sending the user on a round trip to ADFS to re-authenticate
So interestingly, if the user has signed in Recently enough , then there will be an existing token which can be used for performing the check, otherwise it returns that there are no permissions..
Following interesting observations come out of this explanation
Scenario1 : New User : You Create a new User in AD & add to required AD group which has been added to SharePoint group & go check his permissions .
Observation: Check Permissions fails till the user logs on to the site & once logged in then continues to work for that day.
Scenario 2 : Modified Group Membership : Added or Removed a User from a Group to Provide /Remove additional permissions
Observations: Actual Permissions or Access works as Expected , but Check Permissions does not show updated Membership till about a day ( 24 hrs from last logon) & Shows updated Permissions only when user logs in the next day as token gets refreshed .
Scenario 3 : No changes : If the user shows Required permission on the Site as Seen by check permission today , Trying again tomorrow it may show "None" again .
Observation: This user does not log in for couple of days , Check Permissions with show "None" till he logs back in,,
Note : This Issue does not occur with Windows Classic , Windows Claims or Forms Mode Authentication for the Web-application . This is same for SharePoint 2010 & 2013 .