SharePoint Custom Claims Provider for People Picker Loads on All Web Applications

  • Article

If you have decided to use the SAML token-based authentication (Trusted Identity Provider) for your SharePoint web application, then you noticed, or should know that SPTrustedClaimProvider class does not provide search functionality to the People Picker control. Hence, any text entered in the People Picker control will automatically be displayed as if it resolves, regardless of whether it is a valid user, group, or claim. Therefore, plan to create a custom claims provider that implements custom search and name resolution.

Reference: https://technet.microsoft.com/en-us/library/cc262350.aspx

 

Searching online, you will find already some implemented custom claims provider to achieve your goal and provide you with a proper people picker experience. However, what you should be aware of is that claims providers are registered on a server farm as farm features (scoped at the farm level) . That's why by default all claims providers are enabled on all the farm web applications when they are deployed to a server farm.

 

Here it comes the challenging configuration, what if I need this custom claims provider in only one web application zone? - By default, when you register a custom claims provider on the farm, the IsEnabled and IsUsedByDefault properties are both set to True. Therefore, you should ensure that the IsUsedByDefault property is set to False, in order not to be loaded by default on all your SharePoint web application.

Reference: https://technet.microsoft.com/en-us/library/gg602072.aspx

 

One of the issues that I found in one of our customers, getting duplicate users for a windows-based authentication web applications, as one user was coming from AD, and the other user was coming from the custom claims provider...

 

Luckily, you can change this property IsUsedByDefault to false using SharePoint management shell, after you deploy your custom claims provider solution, using the below code:

 $customprovider = get-spclaimprovider | Where-Object{$_.DisplayName -eq "Custom Provider Name"}

Set-SPClaimProvider -Identity $customprovider -Default:$false

 

If for any reason, you don't have the name of your deployed custom claims provider, or you want to double check this property value, you can get it using the below cmdlet via SharePoint management shel

 get-spclaimprovider