New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identifierclaim in SPTrustedIdentityTokenIssuer #1328
Comments
Manually installing using this powershell did work and made it DSC compliant: $realm = "urn:sharepoint:sp1"
$wsfedurl="https://login.microsoftonline.com/[GUID removed]/wsfed"
$filepath="C:\cert.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert
$map =@()
$map += New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$map += New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$map += New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -LocalClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "Azure AD Identity provider" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" |
Hi @bartvermeersch, Since you manual actions corrected this, this must be in the Set method. To check where exactly this goes wrong, do you have more of the Verbose output for me? |
@bartvermeersch Could you provide the Verbose output, so I can check the code where this goes wrong? |
UPDATE: Correction to my first conclusion. Have checked the innerworking a little more and the error is in the code. Found the root cause for this issue: In the Set method, this code creates an array with Claims Mappings: Lines 283 to 299 in 8214236
The next block of code then checks if the specified IdentifierClaim matches a MappedClaimType in any of the claims in the array: Lines 283 to 299 in 8214236
This is where the code fails. It should check against the InputClaimType property instead of the MappedClaimType property. Will update the code and submit a PR! |
Sorry I didin't follow up, I had to switch project. Thank you @ykuijs for the fix! (I also missed the issue in the code) |
I'm trying to configure an SPTrustedIdentityTokenIssuer but I always get the error:
IdentifierClaim does not match any claim type specified in ClaimsMappings.
What am I missing?
The text was updated successfully, but these errors were encountered: