Using Role claims for setting access in SP 2010

Jun 11, 2013 at 5:00 PM
Thanks for this great tool. I have a question about using Role claims. I am using CA Siteminder as the identity provider and we are mapping AD groups to the Role claim using the memberOf attribute. The problem is that the memberOf values are full DNs for the groups, which do not appear to be searchable using the people picker with LDAPCP. I can search for AD groups by CN, but that doesn't match the user claims. Any ideas on how to get around this?
Jun 13, 2013 at 11:35 AM
this is expected and is a limitation of current version.
But developer version gives you the possibility to implement what you need: download it and take a look at sample class CustomClaimTypeLookup.
In your case, you will need to specify property AttributeHelper.PrefixToAddToValueReturned to the role claim type.
This setting will be available in administration page in the future (so there will be no need to write any code) but there is currently no ETA for this.
I hope it answers your question.
Jun 13, 2013 at 12:31 PM
Thanks Yvan. I will look at the code, We have actually implemented a workaround on the identity provider side. We use CA Siteminder and we were able to implement a SAML generator plug-in to modify the claims. A configurable option in LDAPCP would be better, but we are good for now. Thanks again.
Jul 16, 2013 at 12:35 PM
Hi Yvan,
Thanks for sharing the custom claim provider code, which helps the developer to use as it is and customized as per needs.
Have a question related to Roles. When the user search inside people picker "joe". "Roles" also should appear with respect to joe. Is there any possibility in the current version or we have to customized as per our need.
i.e joe has different roles - joe_reader - joe_owner
We are getting some custom attributes i.e "xxxrolelist", how i am going to map my custom rolelist with as a "group".
new AttributeHelper{LDAPAttributeName="xxxrolelist", LDAPObjectClass="group", claimType=nsmsclaims.ClaimTypes.Prip.Group, claimEntityType = SPClaimEntityTypes.FormsRole, peopleEditorEntityDataKey=PeopleEditorEntityDataKeys.AccountName},
  1. I want to associate another attribute "xxxstatus". Though this attribute is not associated with claim provider, but i want to add this inside the LDAP query filter. is there any provision for this..