Profile Sync and Claims Authentication

This article is a re-post from my previous blog… This is something that is not well documented, but you can have a profile synchronization for federated-based authentication. Follow this steps. First, create de connection sync, specifying an Active Directory type, and Claims-Based authentication provider,

Once this is done, you have to map a specific profile property Claim User Identifier (SPS-ClaimID) to the claims that is used as identity claims. This claims is visible using this small powershell cmdlet:

$provider=Get-SPTrustedIdentityTokenIssuer 

$provider.IdentityClaimTypeInformation

Commonly, the Identity Claims used is emailadress. Go in “Manage User Properties” , find the “Claims User Identifier” and edit it. Go in “Add new Mapping” section, and add an Import connection to the mail Attribute (or the property you used as identifier) of the source data connection you previously created. Now start a full sync and voilaaa! All your AD Accounts are no synchronized with a claims-based account, not the basic DOMAIN\Account.

What if you want to use profile sync using both Claims-based and integrated authentication? Well even if the profile would be match to 2 different account name (the DOMAIN\Account and the i:bar-foo), they are consider as a duplicate account by FIM, and there will be just one account sync. For instance, my AD account is in a OU that is sync by a n integrated authentication provider and a claims-based one. So when I query the FIM meta verse, I appear twice :

Once with the Windows Claims providers

And once with the adfs-fedrated claims provider:

But if I try to see the preview, my account appears as twice:

So the only way to achieve a domain sync against claims-based authentication AND Integrated-based authentication is to sync different OU of the AD domain.