I was working with my SharePoint development environment and I had to add new Claim Mappings to my SharePoint Server based on some new Claims that I was sending from ADFS.
One of my options was to completely remove the SP-TrustedIdentityTokenIssuer and then completely re-create it with the new Claim Mappings, but that was a bit of a hassle, so I searched for other ways to simply add new Claim Mappings.
I found a partial answer here: http://blogs.dirteam.com/blogs/tomek/archive/2010/07/14/adding-claim-mapping-to-existing-provider-in-sps-2010-part-deux.aspx
However, as soon as I followed the instructions that were provided in the article, I received the following error message: Add-SPClaimTypeMapping: Incoming claim types do not include claim type 'http://schemas.xmlsoap.org/claims/Group
Interestingly enough, this was the same error message the article was attempting to solve!
Fortunately, I came across this other article which offered a complete solution: http://www.theidentityguy.com/articles/2010/10/19/adding-claims-to-an-existing-token-issuer-in-sharepoint-2010.html
The key point to note is that you have to add the Claim Type to the TrustedIdentityTokenIssuer 1st, ONLY THEN you can add the Claim Type Mapping!!
One of my options was to completely remove the SP-TrustedIdentityTokenIssuer and then completely re-create it with the new Claim Mappings, but that was a bit of a hassle, so I searched for other ways to simply add new Claim Mappings.
I found a partial answer here: http://blogs.dirteam.com/blogs/tomek/archive/2010/07/14/adding-claim-mapping-to-existing-provider-in-sps-2010-part-deux.aspx
However, as soon as I followed the instructions that were provided in the article, I received the following error message: Add-SPClaimTypeMapping: Incoming claim types do not include claim type 'http://schemas.xmlsoap.org/claims/Group
Interestingly enough, this was the same error message the article was attempting to solve!
Fortunately, I came across this other article which offered a complete solution: http://www.theidentityguy.com/articles/2010/10/19/adding-claims-to-an-existing-token-issuer-in-sharepoint-2010.html
The key point to note is that you have to add the Claim Type to the TrustedIdentityTokenIssuer 1st, ONLY THEN you can add the Claim Type Mapping!!
$SPTrustedIdp = Get-SPTrustedIdentityTokenIssuer "sts"
$SPTrustedIdp.ClaimTypes.Add("http://schemas.xmlsoap.org/claims/Group")
$SPTrustedIdp.Update()
$GroupClaimType = "http://schemas.xmlsoap.org/claims/Group"
$groupClaim = New-SPClaimTypeMapping -IncomingClaimType $GroupClaimType -IncomingClaimTypeDisplayName "Group" -LocalClaimType $GroupClaimType
Add-SPClaimTypeMapping -Identity $groupClaim -TrustedIdentityTokenIssuer $SPTrustedIdp
