Thursday, May 16, 2013

Incoming claim types do not include Claim Type... error message in SharePoint 2010

I was working with my SharePoint development environment and I had to add new Claim Mappings to my SharePoint Server based on some new Claims that I was sending from ADFS.

One of my options was to completely remove the SP-TrustedIdentityTokenIssuer and then completely re-create it with the new Claim Mappings, but that was a bit of a hassle, so I searched for other ways to simply add new Claim Mappings.

I found a partial answer here: http://blogs.dirteam.com/blogs/tomek/archive/2010/07/14/adding-claim-mapping-to-existing-provider-in-sps-2010-part-deux.aspx

However, as soon as I followed the instructions that were provided in the article, I received the following error message: Add-SPClaimTypeMapping: Incoming claim types do not include claim type 'http://schemas.xmlsoap.org/claims/Group

Interestingly enough, this was the same error message the article was attempting to solve!

Fortunately, I came across this other article which offered a complete solution: http://www.theidentityguy.com/articles/2010/10/19/adding-claims-to-an-existing-token-issuer-in-sharepoint-2010.html

The key point to note is that you have to add the Claim Type to the TrustedIdentityTokenIssuer 1st, ONLY THEN you can add the Claim Type Mapping!!

 $SPTrustedIdp = Get-SPTrustedIdentityTokenIssuer "sts"  
 $SPTrustedIdp.ClaimTypes.Add("http://schemas.xmlsoap.org/claims/Group")  
 $SPTrustedIdp.Update()  

 
 $GroupClaimType = "http://schemas.xmlsoap.org/claims/Group"  
 $groupClaim = New-SPClaimTypeMapping -IncomingClaimType $GroupClaimType -IncomingClaimTypeDisplayName "Group" -LocalClaimType $GroupClaimType  
 Add-SPClaimTypeMapping -Identity $groupClaim -TrustedIdentityTokenIssuer $SPTrustedIdp  

No comments:

Post a Comment