SharePoint
Feedback by UserVoice

I suggest you ....

Ship SharePoint Server 2016 with a SAML Claims-aware People Picker

I gather from Bill's "What's New for IT Professionals in SharePoint Server 2016" Ignite session that SharePoint 2016 Web Applications will leverage SAML (Trusted Identity Provider) claims by default.

When using SAML claims with SharePoint 2013, we need to deploy a Custom Claims Provider in order to resolve names (even against AD DS), which introduces a requirement for a Farm Solution. Kirk Evans discusses this here: http://blogs.msdn.com/b/kaevans/archive/2013/05/26/fixing-people-picker-for-saml-claims-users-using-ldap.aspx

Will SharePoint Server 2016 ship with an updated People Picker and Claims Provider that is natively "compatible" with SAML claims, or will a bespoke solution still be needed?

224 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Benjamin Athawes shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    15 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Jeremy reuling commented  ·   ·  Flag as inappropriate

        Stoned as fuck in a group home! Along,with the black bitch with no caller idkeeps harassing people,on the cellphone he ain’t getting anyone’s money ok motherfucker!

      • o365SPO commented  ·   ·  Flag as inappropriate

        SAML Claims for SQL and SSRS and an SSRS Web Part for SharePoint Online please.

      • Jasper Siegmund commented  ·   ·  Flag as inappropriate

        Would also be nice to be able to limit the results in the people picker by a specific claim, preferably via a property set in the site collection property bag. There are ways to limit the result set on-prem, based on OUs but something similar for claims was never implemented afaik?

      • Pranav Kothare commented  ·   ·  Flag as inappropriate

        I believe that Microsoft should at least provide an OOB solution for the vanilla deployment of SharePoint + ADFS + AD and define some baseline like, upn for identity and windows groups for roles. That way, people aren't coding/deploying the same solution repeatedly to different farms.

      • Terafirma commented  ·   ·  Flag as inappropriate

        building in ldapcp.codeplex.com would be a good start and it supports all LDAP stores. Then adding SQL stores to this would be straight forward. You could even allow adding definitions to it to allow lookup from other stores.

      • Jean Marie Thia commented  ·   ·  Flag as inappropriate

        The claim provider should also be able to talk to other attribute provider beside a directory like a SQL database, a web service or using the VOOT protocol (http://openvoot.org/).
        For me the actual approch is pretty good as everything works except that there is no way for the user to validate the entered value. If you want to constrained your user you should then build your custom claim provider. I have put the one we are using at cnrsccp.codeplex.com
        But my main concern is about the people picker itself, which is not very ergonomic or at least we could have the Advanced picker back.

      • Cory Stewart commented  ·   ·  Flag as inappropriate

        I definitely think this should be core to the product since claims is the cloud first strategy.....

      • Benjamin Athawes commented  ·   ·  Flag as inappropriate

        FWIW, most of the organisations I've worked with to implement SharePoint and SAML claims *have* used AD. SAML has been used to simplify identity federation. I agree that including a directory-agnostic People Picker and Claims Provider would be unrealistic, but compatibility with AD would be a good start in my book.

      • Thomas Vochten commented  ·   ·  Flag as inappropriate

        Although an AD-aware people picker/custom claims provider for SAML scenarios based on AD would be nice, a lot of organizations use SAML just so they don't have to use AD in the first place. Unfortunately you can't include a people picker that is aware of any possible directory out there. A good AD aware custom claims provider is the one at ldapcp.codeplex.com

      Feedback and Knowledge Base