Thursday, April 26, 2012

Migrating from Windows Claims to SAML Claims

If you have read Steve Peschka's blog post on migrating Windows Claims to SAML Claims, you probably know that the recommended solution is to write some custom .Net code to perform the User Migration:   http://blogs.technet.com/b/speschka/archive/2011/01/27/migrating-user-accounts-from-windows-claims-to-saml-claims.aspx

However, I have found an alternative workaround which (though risky) is relatively painless.  It is recommended to perform a Web Application Backup or Farm-level backup prior to performing the steps below:

  1. Make note of all of your content databases and IIS Settings.  Also make note of your Web Application settings.  
  2. Delete you existing Web Application which is currently configured for Windows Claims-based Authentication.  When deleting the Web Application, DO NOT delete the associated IIS Web Site and Content Databases.
  3. Now re-create the Web Application as standard Windows based authentication (NTLM) and enter the previous Web Application settings, connect to the existing IIS Web Site and enter the previous Content Database name.
  4. Run the following PowerShell script to convert from NTLM-->SAML Claims.   http://technet.microsoft.com/en-us/library/gg251985.aspx
  5. Open User Policy in Central Administration for your Web Application and add any associated SAML User IDs as Site Collection Administrators.
  6. Verify that your other User IDs in the various Site Collections have been migrated over correctly to the SAML Claims based user name format.
  7. If all went well, you have successfully migrated from Windows Claims to SAML Claims without writing a single line of custom .Net code!!

No comments:

Post a Comment