How to map MLM Mappings for SharePoint to ADFS from K2Sync
KB003638
PRODUCT
Introduction
When you want to use ADFS users in SharePoint groups, you need to complete a few steps to ensure that the K2 SyncEngine handles their membership correctly. The SyncEngine needs to know that, if there is a SharePoint group with a member that has a property called “K2SyncSPLoginName”, this member must be replaced by a K2ADFS user which uses the “UserPrincipalName” property, where the “K2SyncSPLoginName” and “UserPrincipalName” contain the same values. Use unique values to do the matching, else incorrect memberships might be created.
Steps
- First you need to ensure that there is no SharePoint forwarder or wildcard entry for the legacy provider in the group provider table.
- Execute Query 1 to determine if the correct value is returned.
Query 1 below is complete except for the security label name that could differ for you. Please make sure to update the security label name value to the correct ADFS security label name.
Query 1
SELECT * FROM [HostServer].[GroupProvider]WHERE SecurityLabelID = (SELECT SecurityLabelID FROM [HostServer].[SecurityLabel]WHERE SecurityLabelName = 'K2ADFS') AND Name = '*' - If Query 1 returns a result, then execute Query 2.
Query 2 below is complete except for the security label name that could differ for you. Please make sure to update the security label name value to the correct ADFS security label name.
Query 2
DELETE FROM [HostServer].[GroupProvider]WHERE SecurityLabelID = (SELECT SecurityLabelID FROM [HostServer].[SecurityLabel]WHERE SecurityLabelName = 'K2ADFS') AND Name = '*' - Now Execute Query 3
The script below is complete but some of the values can change depending on what you want to use as the Identifier on the legacy provider. In this instance we used UPN (User Principal Name). This value should match a value in the source provider so that a relationship between the two values can be built. If you decide to use something other than UPN, the yellow highlighted text should be updated.
Query 3
DECLARE @SPPOPIDUser AS INTDECLARE @SPPOPIDGroup AS INTDECLARE @LegacyPOPIDUser AS INTDECLARE @LegacyPOPIDGroup AS INTINSERT INTO [SyncEngine].[ProviderObjectProperty] ([ProviderObjectID],[Name],[IsCore],[ComputedProperty],[ProviderObjectPropertyTypeID])VALUES (8,'UserPrincipalName','False','False',17)INSERT INTO [SyncEngine].[ProviderObjectProperty] ([ProviderObjectID],[Name],[IsCore],[ComputedProperty],[ProviderObjectPropertyTypeID])VALUES (9,'UserPrincipalName','False','False',17)SELECT @SPPOPIDUser = ID FROM [SyncEngine].[ProviderObjectProperty]WHERE ProviderObjectID = 3 and Name = 'K2Sync|SPLoginName'SELECT @SPPOPIDGroup = ID FROM [SyncEngine].[ProviderObjectProperty]WHERE ProviderObjectID = 4 and Name = 'K2Sync|SPLoginName'SELECT @LegacyPOPIDUser = ID FROM [SyncEngine].[ProviderObjectProperty]WHERE ProviderObjectID = 8 and Name = 'UserPrincipalName'SELECT @LegacyPOPIDGroup = ID FROM [SyncEngine].[ProviderObjectProperty]WHERE ProviderObjectID = 9 and Name = 'UserPrincipalName'INSERT INTO [SyncEngine].[ProviderObjectPropertyMapping]([SourceProviderObjectPropertyID],[TargetProviderObjectPropertyID])VALUES (@SPPOPIDUser,@LegacyPOPIDUser)INSERT INTO [SyncEngine].[ProviderObjectPropertyMapping]([SourceProviderObjectPropertyID],[TargetProviderObjectPropertyID])VALUES (@SPPOPIDGroup,@LegacyPOPIDGroup)
Considerations
If you are already in a broken state, then it is important to also execute the following query:
SELECT * FROM [SyncEngine].[RepositoryConfig]
UPDATE [SyncEngine].[RepositoryConfig] SET ConfigValue = '' WHERE ConfigKey = 'MembershipState'
