This project has moved and is read-only. For the latest updates, please go here.

Configuring SharePoint Identity Service


  • Download the Solution SharePoint.IdentityService.wsp
  • Open a SharePoint PowerShell session as administrator on one of your SharePoint 2013 Servers
  • Deploy solution
    • Add-SPSolution –LiteralPath “[Path to WSP]\SharePoint.IdentityService.wsp”
    • Install-SPSolution –Identity SharePoint.IdentityService.wsp -GACDeployment
    • Close PowerShell
  • Open a SharePoint PowerShell session as administrator on one of your SharePoint 2013 Servers
  • Install SharePoint Identity Service
    • Install-IdentityService
    • Close PowerShell


  • Delete all of your Identity Service Applications
  • Open a SharePoint PowerShell session as administrator on one of your SharePoint 2013 Servers
  • UnInstall SharePoint Identity Service
    • Uninstall-IdentityService
  • Remove the solution
    • In central administration
    • Via PowerShell Uninstall-SPSolution and Remove-SPSolution

After Adding an new Server to the Farm your can run the Repair-IdentityService cmdlet

Post-Installation Steps

Before using the claim provider several configuration steps must be executed

Provision Service Instances

    • Launch Administration Console
    • Navigate to “Manage Services on Servers” / “Gérer les services sur le serveur”
    • Select the server where you want the application run (usually an Application Server)
    • Locate the “SharePoint Identity Service” entry in the list, then click “Start”
    • repeat these steps for each server where you want to provision an instance


Create and Provision Service Application

    • Launch Administration Console
    • Navigate to “Manage Services applications” / “Gérer les Applications de service”
    • Select “New”
    • Select “SharePoint Identity Service”
    • Fill the form


    • Make sure to give a Name, Label and description  to your application
    • Select your identity provider

You must disable your current SPClaimProvider claim before creating a new service application using a Trusted Token Issuer.

For security reasons, the component does not replace an installed custom SPClaimProvider



    • Fill your database Server
    • Fill your database Name
    • Optional Fill authentication and failover server



    • Fill your Application Pool, you can reuse existing one, in this case the best candidate is SecurityTokenServiceApplicationPool or create your own
    • By default, without additional tuning, the backend repositories will be accessed with the Application Pool identity
    • You can also, reuse an existing Database (for example when you recreate an application).

Verify that the Application is correctly added

When the provisioning process as finished, you must see you Application with Proxy in the list of Application.


    • You can review the administrators and authorizations
    • The application Proxy is Added to the Default Application Proxy Group, you can change it for your needs in the “Manage WebApplication” page (/_admin/WebApplicationList.aspx).

Customizing Configuration

When the application is created, you can change many parameters – Click “Manage”


You can find 4 categories of parameters


  • General Parameters
    • Claims part
      • Very important ! you must select how to display a user or a group in sites authorizations and in the People Picker, AND configure the Identity Claim AND Roles Claim. These choices MUST BE CONFORM to your declaration of your SPTrustedIdentityTokenIssuer. in this sample it’s the UPN
      • image
    • Other Parameters
      • You can modify for your convenience to customize the search and other parameters
    • More Information General Parameters
  • Entities and Domains
    • You can define the list of your entities or domains : Display Names, position, enabled/disabled and the associated connection. for example if you want to remove a domain (hide), you have to describe it et set enabled to False.
    • When You have described some entities, automatic discovery of forest/domains is deactivated
    • More Information Entities and Domains
  • Connections configuration
    • You can define many connections, set credentials, timeout, etc…
    • In connection string field you can store custom connection strings (for Active Directory extension this can be a custom LDAP string including filters for example)
    • More Information Connection configuration
  • Attributes Store Components

The Claim Provider in Action

In the People Picker (old mode)


In the people Picker 2013


Cool things

Kerberos Constraint Delegation and Claims Augmentation

By default SharePoint is able to map a Claim identity to a Binary Windows Identity locally for each server. It’s The “Claims To Windows Token Service”  C2WTS feature. But for the federated claims even if these claims represents a Windows User in ADDS repository this not working, because the SharePoint framework checks for specific Windows claims that are not present by default.

So, we decided to add some specific claims in the security token when we are in the case of ADFS/federation, and now, the user is a SAML user and a Windows User at the same time. The claims we add are underlined in green in the next screen. Underlined in orange, this is the claim augmentation feature (described in configuration of the Identity Service Application) witch add this claim.


To configure SharePoint 2013 for KCD you can refer to

With KCD configured for SharePoint, BI-connections strings, Reporting Services in Integrated Mode are available under the identity of the caller. It’s possible to display a SSAS report within the identity of the caller even if we are in SAML context !


Developers Corner

See Developers Corner

Last edited Mar 1, 2016 at 10:41 PM by redhook, version 9