SharePoint 2013 provider hosted app w/ADFS user converted authenticates to windows user no SAML user
https://sharepoint.stackexchange.com//questions/93911
-
10-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a High Trust Provider hosted app using the configuration and claims helper from this blog post .
The app can authenticate as app only but when I pass in the user information I get "There was an error: Access denied. You do not have permission to perform this action or access this resource. " The SharePoint logs show that my user is being resolved as the windows user not the SAML user. This is further proven by if I add the windows account the app will authenticate and provide me the user context. What am I doing wrong?
JWT token:
{
"upn": "dpalfery@ssolab.local",
"nii": "trusted:adfs",
"aud": "00000003-0000-0ff1-ce00-000000000000/portal.ssolab.local@ab32783d-87a4-4705-ba23-ae2ec8134272",
"iss": "8a7656d9-a909-4304-9c3f-0320b175015e@ab32783d-87a4-4705-ba23-ae2ec8134272",
"exp": "1395592109",
"actortoken": "<decoded below>",
"nbf": "1395591509"
}
{
"upn": "dpalfery@ssolab.local",
"identityprovider": "trusted:ADFS",
"iss": "8a7656d9-a909-4304-9c3f-0320b175015e@ab32783d-87a4-4705-ba23-ae2ec8134272",
"smtp": "dpalfery@ssolab.local",
"trustedfordelegation": "true",
"exp": "1455591509",
"nameid": "8a7656d9-a909-4304-9c3f-0320b175015e@ab32783d-87a4-4705-ba23-ae2ec8134272",
"nbf": "1395591509",
"aud": "00000003-0000-0ff1-ce00-000000000000/portal.ssolab.local@ab32783d-87a4-4705-ba23-ae2ec8134272"
}
SharePoint Log:
03/23/2014 10:37:45.70 w3wp.exe (0x0B1C) 0x282C SharePoint Foundation Application Authentication ahkpt Medium SPApplicationAuthenticationModule Authentication finished successfully for user:0#.w|ssolab\dpalfery and actor:0i.t|ms.sp.ext|8a7656d9-a909-4304-9c3f-0320b175015e@ab32783d-87a4-4705-ba23-ae2ec8134272 401c809c-043a-2027-b3cc-8517dffcb09a
Solution
You didn't specify enough info to be 100% sure, but it is likely one of the following:
- Need to specify -IsTrustBroker when creating the SPTrustedSecurityTokenIssuer
- User is not found in the user profile application (discussed in Steve's post)
- The identity claim is not unique in the user profile application. (Steve explicitly calls this out -- cannot have both claim user and windows user.)
