search

Yvand / LDAPCP

A claims provider to connect SharePoint Subscription / 2019 / 2016 with Active Directory and LDAP directories in federated authentication
https://ldapcp.com
Apache License 2.0
57 stars 25 forks source link

Confusion by using LDAPCP with SharePoint Subscription Edition #173

Closed TarikBoukhris closed 1 year ago

TarikBoukhris commented 1 year ago

Hi Yvan,

I hope your are doing well!

I'm a little bit confused about the usage of LDAPCP with the SharePoint Subscription Edition ... According to this doc https://learn.microsoft.com/en-us/sharepoint/administration/enhanced-people-picker-for-trusted-authentication-method it is possible to use the UserProfile Service Application for the PeoplePicker, it creates an internal claim provider and use it to check the UPA.

Then do we still need LDAPCP for SAML authentication and peoplepicker search for that version of SharePoint ?

Also I'm facing an error with the authentication, I configured a MIM synchronization with the UPA. Tried both LDAPCP and the internal claim provider like describe into the doc above but I'm unable to connect to my sharepoint site, I get this kind of error in ULS logs:

STS Call: Failed to issue new security token. Exception: 'System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenRequestContextV2.ValidateTrustedLoginRequest(SPRequestSecurityTokenV2 request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenRequestContextV2.InitializeForFederationAuthType(SPRequestSecurityTokenV2 request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenServiceV2.Issue(ClaimsPrincipal principal, RequestSecurityToken request)'.

An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm..

Exception reading oidc token from reader Exception : System.InvalidOperationException: The ReadContentAsBase64 method is not supported on node type Element. If you want to read typed content of an element, use the ReadElementContentAs method.

Trusted login provider is not sending configured input identity claim type. ProviderName: 'SAML Provider for SharePoint', InputClaimType: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'.

Throwing fault exception because there is no identity claim.

Do you have any idea, how to fix this?

Many thanks for your help

Yvand commented 1 year ago

Hi @TarikBoukhris, it is up to you to use either LDAPCP or the new claims provider introduced with SharePoint Subscription, but they cannot be used in parallel.

Regarding your error, sorry I never saw it before but I can guess that something is wrong in the jwt token. It does not seem to be related to the signature/certificate, since I would expect an explicit error for this case.

TarikBoukhris commented 1 year ago

Thank You Yvan!

This is very clear now, I configured the claims provider with sharepoint subscription and it works as expected for our use case. Concerning the error, it was an issue at RP not doing the federation correctly.

it's fixed now!

Thank you again