Ship SharePoint Server 2016 with a SAML Claims-aware People Picker
I gather from Bill's "What's New for IT Professionals in SharePoint Server 2016" Ignite session that SharePoint 2016 Web Applications will leverage SAML (Trusted Identity Provider) claims by default.
When using SAML claims with SharePoint 2013, we need to deploy a Custom Claims Provider in order to resolve names (even against AD DS), which introduces a requirement for a Farm Solution. Kirk Evans discusses this here: http://blogs.msdn.com/b/kaevans/archive/2013/05/26/fixing-people-picker-for-saml-claims-users-using-ldap.aspx
Will SharePoint Server 2016 ship with an updated People Picker and Claims Provider that is natively "compatible" with SAML claims, or will a bespoke solution still be needed?
Star D. commented
Out of votes, but completely agree with Steven Perry.
SAML Claims for SQL and SSRS and an SSRS Web Part for SharePoint Online please.
Jasper Siegmund commented
Would also be nice to be able to limit the results in the people picker by a specific claim, preferably via a property set in the site collection property bag. There are ways to limit the result set on-prem, based on OUs but something similar for claims was never implemented afaik?
Pranav Kothare commented
I believe that Microsoft should at least provide an OOB solution for the vanilla deployment of SharePoint + ADFS + AD and define some baseline like, upn for identity and windows groups for roles. That way, people aren't coding/deploying the same solution repeatedly to different farms.
Steven Perry commented
This should also be provided for SharePoint Online.
While not free, this Claims Provider can search/resolve objects from just about anywhere and is packed with features.
building in ldapcp.codeplex.com would be a good start and it supports all LDAP stores. Then adding SQL stores to this would be straight forward. You could even allow adding definitions to it to allow lookup from other stores.
Jean Marie Thia commented
The claim provider should also be able to talk to other attribute provider beside a directory like a SQL database, a web service or using the VOOT protocol (http://openvoot.org/).
For me the actual approch is pretty good as everything works except that there is no way for the user to validate the entered value. If you want to constrained your user you should then build your custom claim provider. I have put the one we are using at cnrsccp.codeplex.com
But my main concern is about the people picker itself, which is not very ergonomic or at least we could have the Advanced picker back.
Cory Stewart commented
I definitely think this should be core to the product since claims is the cloud first strategy.....
Benjamin Athawes commented
FWIW, most of the organisations I've worked with to implement SharePoint and SAML claims *have* used AD. SAML has been used to simplify identity federation. I agree that including a directory-agnostic People Picker and Claims Provider would be unrealistic, but compatibility with AD would be a good start in my book.
Thomas Vochten commented
Although an AD-aware people picker/custom claims provider for SAML scenarios based on AD would be nice, a lot of organizations use SAML just so they don't have to use AD in the first place. Unfortunately you can't include a people picker that is aware of any possible directory out there. A good AD aware custom claims provider is the one at ldapcp.codeplex.com