Integration Sharepoint 2010, ADFS 2.0 and ThinkTecture IdentityServer

Question

I have the following scenario:

• Sharepoint 2010 with Claims based authentication web application.
• ADFS 2.0 which has configured Claims provider trust to the ThinkTecture IdentityServer.
• ThinkTecture IdentityServer which has configured ADFS 2.0 as a relying party.
• Sharepoint 2010 has SPTrustedIdentityTokenIssuer configured pointing to ADFS 2.0.

Now when I'm loging to the Sharepoint, I'm redirected to the ADFS 2.0 Home Realm page, when I choose Identity Provider. Then I'm redirected to the ThinkTecture IdentityServer. Then I'm logged with my credentials from IdentityServer and I'm redirected back to the ADFS and then to the Sharepoint. The problem is, that sharepoint show error message. I'am adding log records from sharepoint:

Authenticated with login provider. Validating request security token.

Trusted login provider 'SAML2 Provider' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'

SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest()

Access Denied: Authentication is required.

I was find out, that the token returned from Identity Server to ADFS contains emailaddress claim, but the token returned from ADFS to SP does not. It is a strange, because I have ADFS configured to support emailaddress to pass through for all claims (in Claims provider trust for identity server). Do I need to setup adfs somewhere else? I am newbie in adfs.

What I want to achieve is to forward my request through the ADFS to the IdentityProvider (in this case ThinkTecture IdentityServer) and to get back the token from IdentityProvider. ThinkTecture IdentityServer is only in my test environment in the real environment it will replaced by Oracle Identity Federation.

The target problem is to integrate Sharepoint 2010 with the Oracle Identity Federation. But the problem is, that the Sharepoint doesn't support SAML 2 protocol which OIF will provides as exclusive endpoint binding. So I'm trying to hack it with the ADFS (as a somethinkg like proxy) which will communicate with Sharepoint based on the SAML 1.1 on one side and with the OIF based on the SAML 2 on other side.

This is the following extract from IdP metadata:

<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">... 

So I have no option to use WS-Federation.

I will appreciate advise if this is a good way how to achieve the required behaviour.

thanks

Answer 1

So your path is SP -> ADFS -> IdentityServer?

The problem is that the email address is not being passed through. So you have to set up IdentityServer to generate the email address claim and you have to setup ADFS to pass through all claims. Then configure SP to accept email address as a claim (using the SP Powershell commands).

Add: You need to create pass through claim rules for the email claim in ADFS - both for the claims provider trust and the relying party trust.

OIF supports WS-Federation - refer ORACLE IDENTITY FEDERATION 11g R2 - so no problem to federate OIF with SP.