Modify Claims For SharePoint SSO Through PortalGuard

Owned by Stephen Call (Deactivated)
Last updated: Nov 11, 2021
3 min read

Problem

You need more claims available from within SharePoint after integrating with PortalGuard for Single Sign-On.

Solution

Update the PortalGuard IdP to send along additional claims AND update the SharePoint environment to handle said claims.

On the SharePoint Application Server:

Use the 'SharePoint Management Shell' to update the existing TrustedIdentityTokenIssuer for PortalGuard: 

  1. Launch the 'SharePoint Management Shell' as the SharePoint Farm Admin.

  2. Get a handle to the token issuer using the following command:

    • $ti = Get-SPTrustedIdentityTokenIssuer PortalGuard

  3. Update the available claim types:

    • Note: In PortalGuard terms, the 'claim types' here should match the 'schema types' you will use in the On the PortalGuard Server section below.

    • The Commands to run should use the following format: $ti.ClaimTypes.Add("SCHEMA-TYPE").  The SCHEMA-TYPE placeholder should be replaced with the appropriate value for each new claim.  The examples below are for three non-standard claims: Given Name, Surname, Common Name:

      • $ti.ClaimTypes.Add("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")

      • $ti.ClaimTypes.Add("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")

      • $ti.ClaimTypes.Add("http://schemas.xmlsoap.org/claims/CommonName")

  4. To apply these changes to the current instance of the token issuer, run the following command:

    • $ti.Update()

  5. You can view the entire object by running the following command:

    • $ti

      • The object doesn't show the entire list of claim types, as it is too long, but you should see an initial approximation:

  6. Next, you'll need to create the claim type info/mapping.  Using the three claims from step #3 above, we'll use the following commands (NOTE: Two commands exist for each new claim - a command to define the mapping, and a command to add it to the Token Issuer):

    • $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "First Name" -SameAsIncoming

    • $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "Last Name" -SameAsIncoming

    • $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/CommonName"" -IncomingClaimTypeDisplayName "CommonName" -SameAsIncoming

      • NOTE: For claims other than the ones used for our example, you'll need to update the 'IncomingClaimType' mapping to the appropriate schema type as defined when you completed step #3.  You'll also need to update the 'IncomingClaimTypeDisplayName' values accordingly.

    • Add-SPClaimTypeMapping -Identity $map1 -TrustedIdentityTokenIssuer $ti

    • Add-SPClaimTypeMapping -Identity $map2 -TrustedIdentityTokenIssuer $ti

    • Add-SPClaimTypeMapping -Identity $map3 -TrustedIdentityTokenIssuer $ti

  7. Run the $ti command again the view the entire Token Issuer object again. The 'ClaimTypeInformation' section should now reflect the new claims - using the display name defined in the previous step.

    • NOTE: Just as we noted in step #5, some information may be truncated if there is too much data. 

      • You can also use the following command to list all claim types for a token issuer:

        • foreach ($c in $ti.ClaimTypes){$c}

On the PortalGuard Server

Modify the SharePoint relying party within the Identity Provider Configuration Editor:

  1. Open the Identity Provider Configuration Editor and edit the SharePoint relying party configuration.

    • The configuration for SharePoint should be located under the 'SAML Websites' tab.

  2. Navigate to the 'Identity Claims' tab and click the 'Create' button:

    • NOTE: The default configuration for SharePoint uses two claims: Email and Roles (groups).  We'll be configuring three additional claims as noted in the previous section: Given Name, Surname, Common Name. The claim information may change for your environment, but the overall process should remain the same. 

  3. Fill in the appropriate values for 'Name', 'Schema Type', and 'Field Name'.  These values should reflect the claim that you are sending to SharePoint, and the 'Schema Type' should match what was defined in step #3 of the On the SharePoint Application Server section above.

    • This screenshot shows the matching config for 'GivenName'.  Simply duplicate the same for the remaining claims - updating each field appropriately. 

  4. Once completed, the 'Identity Claims' tab should resemble the following:

  5. Save the changes to the Relying Party configuration. 

  6. Apply/Sync the changes to begin testing!