In last few projects we needed to migrate windows claims users to SAML claims.
I wrote a script to automate this process.
The script checks Trusted Token Issuers, checks which claim is identifier claim with selected token issuer and then sets the user prefix accordingly.
For example, if email is set as identifier claim, then user prefix is "i:05.t" and if UPN is selected than the prefix is "i:0e.t".
Based on claim mapping set on ADFS server for role claims, I also set group prefix and group login accordingly. For example, if on ADFS server role claims are set as "Token-Groups - Qualified by Long Domain Name", than the group login name is set as [long domain name]\[group samAccountName] e.g. "kompas-xnet.si\sg_SharePointUsers".
For role claim, you can use:
The script also logs user migration. It checks default diagnostic logging location and creates log files in that folder.
The script must be run on SharePoint server and requires that ActiveDirectory PowerShell module is installed.
In order to use the script, download the file to "c:\Scripts" on the server, run PowerShell as Administrator and type the following:
You must set "roleClaim" parameter. It is a set of predefined values, so you do not need to type the values, you can just tab them. You must set the valid "URL" address of the local SharePoint site, on which you would like to migrate your users.
You also need to specify "farmAdmin" account, your administrative account, which will be skipped during migration.
You can also add the Verbose switch if needed.
Hopefully, the script covers some scenarios for migrating users from windows claims to SAML claims.
If you have any comments or suggestions, please contact me at: email@example.com