ADFS 2.0, SAML 2.0, and SharePoint 2013 – Limitations, Issues, and Workarounds

I have recently configured large SharePoint 2013 On-Premises farm with Windows Server 2008 R2 and ADFS 2.0. As we were configuring SharePoint 2013 and ADFS 2.0 integration, we came across various issues and limitations. This articles highlights list of all the ADFS 2.0 integration issues you may come across and various workarounds and approaches we had used.

ADFS Integration Issues => Fixes & Workarounds

  • Can be signed in with both domain\user and email formats in windows logon prompt
    • Work with ADFS team on customization of ADFS login Page – You can present Form UI than normal Windows Prompt UI
  • User Profile Sync and Welcome Users, Existing User Profiles, User Info List, and My Sites cleanup/migration
    • Configure new UPS connection for ADFS SAML Provider
    • Map User Profile Property for Claim User Identifier to Claims Provider Indenter (e.g. Mail)
    • Welcome User should ensure you have Full Name
  • Search Crawl
    • Extend web app and use NTLM as authentication for search crawl
  • People Picker resolves everything
    • You must create Custom People Picker Provider
    • Issues to test => My Site Mention, Community Site Mention, Intranet/My Site Security Group membership, Sharing feature, Sky Drive Sharing, Central Admin Security Group membership
  • Sign-out and Sign-in as Different User option doesn’t work

ADFS Integration Issues => Hard Limitations without resolutions

  • SharePoint Hosted Apps – ADFS 2.0 doesn’t support wildcard discovery of SharePoint realms

Hopefully this will help you aware of potential issues you may come across during planning phase instead of final QA or UAT phase. If I have missed any limitations of ADFS 2.0 and SharePoint 2013 integration, please feel free to add value by providing comments on this article.

Advertisements
This entry was posted in ADFS, SharePoint 2013, SP2013 Admin. Bookmark the permalink.

5 Responses to ADFS 2.0, SAML 2.0, and SharePoint 2013 – Limitations, Issues, and Workarounds

  1. Good one! May I know the reason why you preferred W2K8 server?

    • Nik Patel says:

      I am finally pushing out some of my past unpublished blogs which hasn’t been published since last fall. We had started this project in Q1 2013 and mostly it’s because of ADFS support for SharePoint 2013. We could have used Windows Server 2012 but customer didn’t wanted to rollout Windows Server 2012 at that time. Even with Windows Server 2012, we would have same issue.

      On the side note, Windows Server 2012 R2 & ADFS 3.0 didn’t released at that time.

  2. eissaly says:

    Instead of extending the webapp, i prefer to keep one zone and bypass the signin dropdown (which would never be used by humans anyway). In that case, you have to hide the “AD” provider from the people picker, which is documented on the technet.

  3. eissaly says:

    I posted it on another thread 🙂
    here it is : https://msdn.microsoft.com/en-us/library/office/hh237665(v=office.14).aspx

    on the subjects of limitations,
    – You also can’t make a wildcard RP (*.contoso.com/_trust) with ADFS 2. You have to use ADFS 3 (2012 R2)
    – You also can’t deploy the 2012 R2 web application proxy role with ADFS 2. Stick with TMG 🙂

    Finally, SPS 2013 (not yet sure about 2016) doesn’t support SAML 2.0, so you can’t directly auth to AAD from sharepoint on prem. You have to use plumbing, usually with ADFS (WS-FED SAML 1.1) , or with ACS. I heard rumors ACS as an auth provider will be going down the drain, so i’d stick to ADFS 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s