Creating an ADFS2.0 TrustedIdentityTokenIssuer using PowerShell in SharePoint 2013

Sathish Nadarajan
SharePoint MVP
Published On :   01 Oct 2013
Visit Count
Today :  5    Total :   18178
Plan, Migrate, Secure, Report
SharePoint & Office 365 Tool. Simple & Easy to Use. 15-Day Trial!

Sharegate: Kick-Ass Tool
Think Your SharePoint & Office 365 Are Secure ? Find Out Now!

In this article, let us see, how to create an ADFS 2.0 Trusted Identity Token Issuer (SPTrustedIdentityTokenIssuer) using PowerShell in SharePoint 2013.

In many scenarios, we require some claims based authentication for our web application. These claims based authentication can be done by using some third party tools like ADFS 2.0. Already we had enough discussions about the installation, configuration of ADFS. Hence, in this article, as a series of powershell scripts, let us focus only on the powershell portion alone.

The steps are as follows.

a. Add the Certificate to the Trusted Root Authorities.

b. Create the Claims mappings.

c. Create a variable for the realms.

d. Create a Signin URL

e. Create the New-SPTrustedIdentityTokenIssuer

And the script is as follows.


Add-PSSnapin "Microsoft.SharePoint.PowerShell"

# Add the Certificate to the Trusted Root Authorities

$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Certs\ADFSCert.cer")

New-SPTrustedRootAuthority -Name "Token Signing Cert ADFSAuthenticatedSite" -Certificate $cert

# Create the Claims Mappings

$map = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming

$RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming

# Create a Realm variable


#Create a Signin URL


# Create the TrustedIdentityTokenIssuer

$ap1 = New-SPTrustedIdentityTokenIssuer -Name “XYZ” -Description “Test”-realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$upnClaimMap,$RoleClaimmap -SignInUrl $signInURL -IdentifierClaim $map.InputClaimType

· The “Name” attribute describes which authentication provider a Web application is configured for.

· The “Realm” attribute defines the realm to be used by the trusted identity token issuer.

The “ImportTrustCertificate” attribute is what is passed to the token signing certificate copied from the AD FS server in this scenario.

· The “ClaimsMappings” attribute are the claims the trusted identity token issuer will use.

The “SignInUrl” is the URL that users should be redirected to authenticate with the IP-STS. In this scenario, users authenticate with the AD FS server by using Windows integrated security, so they are redirected to the /AD FS/ls subdirectory.

· The “IdentifierClaim” attribute instructs SharePoint Server which of the claims will be the claim used to identify users. In this scenario the e-mail address is used to identify a user.


This seems to be very simple.  But sometime, it will kill our time like anything.  Hence, I request to follow the procedures step by step and if we make any mistake, it is very hard to revert as well as fix the issue. 


Happy coding.

SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.

SharePoint Analytics