I’ve been tinkering quite a bit with Sharepoint 2010 and ADFS 2.0 lately and figured that this was worth sharing.

I followed the steps outlined in Travis Nielsen’s blog post to configure a federated identity provider in Sharepoint 2010 and configured ADFS 2.0 in my own way since our setup involves quite a few partner organizations. One thing that is not mentioned in the step by step guide is how to configure Sharepoint to accept role claims and assign access rights based on those claims.

The following Powershell snippet will do the trick

$issuer = Get-SPTrustedIdentityTokenIssuer
$issuer.ClaimTypes.Add(”http://schemas.microsoft.com/ws/2008/06/identity/claims/role“)
$map = New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
$issuer.AddClaimTypeInformation($map)
$issuer.Update()

After this the “Role” entry will show up in the people picker and you will be able to assign role claims to Sharepoint groups.