Multilogon accounts
Provide support for multilogon accounts. Currently i:0#.w|domain\jdoe logging in with windows authentication is not the same as i:60.t|adfs|jdoe@domain.com. I need to be able to connect those accounts to ease out hybridisation.

3 comments
-
Piotr Siódmak commented
I just found out there's a concept of logon and resource domains. It would be great if I could set the local AD as both logon and resource domain and ADFS as a logon domain, so that the user who logs on with ADFS is still i:0#.w|domain\user instead of i:60.t|adfs|user@domain
http://blogs.msdn.com/b/sambetts/archive/2015/04/29/sharepoint-logon-amp-resource-ad-connections.aspx - something exactli like that, but with ADFS. Maybe allow me to pass msDS-SourceObjectDN as a claim and treat it as the Master Account.
-
Piotr Siódmak commented
The main scenario is that we want to implement ADFS, but also leave windows auth because some older solutions are not yet ready to move to SAML Authentication ("i:0#.w" is hardcoded and some query the UserInfo list directly, so having two profiles with the same email, name or SID will confuse them). I want the users to be able to log in with ADFS (O365 credentials), but sites which are not ready for it will show "you have to log in through here [URL] to use this feature".
In that scenario I want domain\jdoe logged in through windows auth and jdoe@domain.com logged in through ADFS to be the same identity - same permissions, same mysite and same UserProfile object from User Profile Service to avoid confusion related to having two methods of entry to the system.
Also it would be helpful in test environment scenario - where devs are forced to have a separate AD to install ADFS 3.0 - in that case I want test36\jdoe to be the same identity as company\jdoe without two way sync and with different SIDs so that when I restore a site from production to test all permissions are retained and testable.
Thanks
-
Piotr. Can you share a little more on your scenario. We have some key requirements for user rehydration in hybrid scenarios, mainly that the upn of the user should match. This should be the case if the source account domain is the same unless you are doing some claim remapping.