Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2012-09-17) Claims Based Authorizations For Sharepoint Through ADFS (Part 4)

Posted by Jorge on 2012-09-17

For the previous part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 3)

Now, we can deploy the webpart that will show us the issued claims within the SP2010 Web Application.

Add-SPSolution "D:\_DEMO\SP2010\Claims-Viewer-WebPart-For-SharePoint2010\bin\Debug\Claims_Viewer_WebPart_For_SharePoint2010.wsp" Install-SPSolution –Identity "Claims_Viewer_WebPart_For_SharePoint2010.wsp" –WebApplication https://app-claims.adcorp.lab:446/ -GACDeployment Get-SPFeature | Where{$_.SolutionId -eq "965849d4-f447-43ad-8136-e1a02b5a1bc0"} | FL Get-SPWeb https://app-claims.adcorp.lab:446/ Enable-SPFeature "Claims-Viewer-WebPart-For-SharePoint2010_Feature1" -URL https://app-claims.adcorp.lab:446/

The output of that all can be seen in the picture below.


Figure 1: Deploying The Webpart To The Previously Created Sharepoint 2010 Web Application

For more information about deploying/removing a solution package in SharePoint 2010, see: SharePoint 2010 Cookbook: How to Deploy or Remove a Solution Package Using PowerShell Commands and Installing or Uninstalling Features. If you are removing a solution in addition navigate to “http://<site FQDN>/_catalogs/wp/” (https://app-claims.adcorp.lab:446/_catalogs/wp/) and delete the remaining component of the web part (only the one matching the name you removed previously). If you do not perform this step, the webpart will still be listed in Sharepoint webpart gallery, but you cannot use it!

So, open up internet explorer and navigate to “https://app-claims.adcorp.lab:446/” and:

  • Click on “Site Actions” –> “Site Settings”
  • Click on “Site Collection Features” (you may need to scroll down first!)
  • Confirm that you are seeing the deployed webpart and that its status is ACTIVE


Figure 2: The Deployed Webpart With Status Being Active

  • Click on “Site Actions” –> “New Site Page”
  • Enter the name “Issued Claims List”


Figure 3: Creating A New Site Page

  • In the recently modified section click “Issued Claims List”
  • Click on “Editing Tools – Insert”
  • Click on “WebPart”
  • Select the CUSTOM category
  • Select the custom webpart called “Claims Viewer WebPart For SharePoint 2010”
  • Click Add


Figure 4a: Adding The WebPart To The Previously Created Web Page

  • Click on "the “Save” icon


Figure 4b: The WebPart Added To The Previously Created Web Page


Figure 5: Adding The Issued Claims List Web Page To The Quick Launch

  • Click on “Home”

You should now see web page under the Libraries section.


Figure 6: Libraries Section With The Issued Claims List Web Page

  • Click on “Issued Claims List”


Figure 7: The Issued Claims Within Sharepoint 2010

Now you may think….”Why is SP2010 using claims while we are using a Windows based account/ID?” The reason for that is that SP2010 internally works with claims, no matter what! If you look at the OriginalIssuer column you will see for a lot of the claims “Windows” as that is where the information originated from!

We now need to reconfigure the web application to use the previuosly configured ADFS authentication provider.

So, start the Sharepoint 2010 Central Administration Web Site and

  • Click on “Central Administration” –> “Manage Web Applications”
  • Click on the Web Application with name “Claims Based Web Application”
  • Click on “Authentication Providers”
  • Click on the “Default Zone”
  • Scroll to the “Claims Authentication Types” section
  • UNcCheck “Integrated Windows Authentication”
  • UNcheck “Enable Windows Authentication”
  • Check “Trusted Identity Provider”
  • Check “ADCORP ADFS v2 STS”
  • Scroll down and click SAVE and close the remaining window


Figure 8: Reconfiguring The Sharepoint 2010 Claims Based Web Application To Accept Claims From the Trusted Authentication Provider

To be able to log on to the Web Application now it is also important to temporarily change the site collection administration to a federated claims ID instead of the temporarily configured Windows AD account/ID.

So, if not already started, start the Sharepoint 2010 Central Administration Web Site and

  • Click on “Application Management” –> “Change site collection administrators”
  • You will an error specifying: “This page contains one or more errors. Fix the following before continuing: No exact match was found. Click the item(s) that did not resolve for more options”
  • Make sure the site collection specifies: “https://app-claims.adcorp.lab:446/
  • Remove any value specified in the Primary Site Collection Administrators and click on the address book icon to the right of that field
  • Enter ADM.ROOT@ADCORP.LAB (=email address as that has been defined as the identity claim during the creation of the authentication provider) in the FIND field and click on the search button
  • Select the E-mail Address node and the click on the user that was found and then click OK
  • Click OK


Figure 9: Reconfiguring The Primary Site Collection Administrator To Be A federated claims ID

For the next part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 5)




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########


One Response to “(2012-09-17) Claims Based Authorizations For Sharepoint Through ADFS (Part 4)”

  1. […] Server Core (2) « (2012-09-17) Claims Based Authorizations For Sharepoint Through ADFS (Part 4) […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: