Migration of Windows claims authentication to SAML-based claims authentication in SharePoint Server 2013

SharePoint 2013

We are in the process of combining the SharePoint Server 2013 and SharePoint Server 2016 content into a single content set. We appreciate your patience while we reorganize things. See the Applies To tag at the top of each article to find out which version of SharePoint an article applies to.

 

Applies to: SharePoint Server 2013

Topic Last Modified: 2016-12-16

Summary: Learn how to migrate from Windows claims authentication to SAML-based authentication in SharePoint 2013.

Identifies the steps required to migrate a web application that is going from Windows claims authentication to SAML-based authentication in SharePoint 2013.

To run the identity migration, follow these steps:

NoteNote:
These steps apply only to existing web applications.
  • Generate a skip list.

  • Run the migration against the web application that has one or more content databases.

A skip list is comma-separated values file (.csv file) that has records to exclude during the identity migration. For example, it is necessary to exclude certain service applications or certain domain accounts.

To migrate a web application to include all the content databases by using Windows PowerShell
  1. Check that you have the following memberships:

    • The securityadmin fixed server role on the SQL Server instance.

    • The db_owner fixed database role on all databases that are to be updated.

    • The Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • Read about_Execution_Policies.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Permissions and Add-SPShellAdmin.
  2. To migrate a web application to include all content databases, type the following at the Windows PowerShell command prompt.

    $wa = Get-SPWebApplication -Identity <Name of web application>
    
    $tp= Get-SPTrustedIdentityTokenIssuer "RegularUsers"
    
    Convert-SPWebApplication -Identity $wa -TO CLAIMSTRUSTEDDEFAULT -FROM CLAIMSWINDOWS -TrustedProvider $tp -sourceskiplist skip.csv
    
To migrate specific web applications and content databases by using Windows PowerShell
  1. Check that you have the following memberships:

    • The securityadmin fixed server role on the SQL Server instance.

    • The db_owner fixed database role on all databases that are to be updated.

    • The Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • Read about_Execution_Policies.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Permissions and Add-SPShellAdmin.
  2. To migrate specific web applications and content databases, type the following at the Windows PowerShell command prompt.

    $database = Get-SPContentDatabase -Identity <DB_Name>
    
    Convert-SPWebApplication -Identity $app -from CLAIMS-WINDOWS -to CLAIMS-TRUSTED-DEFAULT -database $database -sourceskiplist skip.csv
    

Where:

  • <Identity> is the name of the content database—for example, DB_Name.

If you want to reverse the migration process, type the following at the Windows PowerShell command prompt.

Convert-SPWebApplication -Identity $wa -From CLAIMS-TRUSTED-DEFAULT -To CLAIMS-WINDOWS -SourceSkipList $skipFile -database $database

Show: