Okta Single Sign On for SharePoint 2013-如何从数据库注入自定义声明

Question

Scenario:

We are using Okta Single Sign On (SSO) on a SharePoint 2013 Extranet facing site. It fits the requirement well when individual users(email as user identity) granted site permissions.

However, as part of claims based permissions, we have a need to append custom claims to the user identity based on a membership rank in a committee. The membership and rank information is stored in a SQL database.

Part of SSO installs, Okta provided a people picker (SPClaimsProvider). If I use the Okta people picker I have no control over to inject custom claims through SPClaimsProvider. They should dynamically injected by querying ranks from SQL database/CRM.

Questions:

Should we uninstall Okta people picker and write our own SPClaimsProvider to append custom claims (SPClaimsProvider)?

(OR)

Use Okta people picker and develop custom System.Security.Claims.ClaimsAuthenticationManager to inject claims

(OR)

Leave Okta people picker as is, write a new SPClaimsProvider and install in parallel to Okta people picker.

Looking for some guidance.

Answer 1

The last option works fine. You can create and install multiple custom claims providers; the only limitation is that you can only have one default custom claims provider per SPTrustedIdentityTokenIssuer. Just create a new custom claims provider and have it only inject claims by overriding the FillClaimsForEntity method. Specific details for doing so are here (NOTE: this article works for both SharePoint 2010 and 2013): https://samlman.wordpress.com/2015/02/28/writing-a-custom-claims-provider-for-sharepoint-2010-part-1-claims-augmentation-and-registering-your-provider/ .