This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 51%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Our client has a need to get rid of multiple AD Accounts of users who work for two different organizations (e.g. 50-50).
Currently those users login to the computer with the account of the organization they are working on currently and are granted access to those Sharepoint sites that has that same organizations' AD Groups permitted to those sites.
So they asked if it would be possible for those users to have only one AD Account and then create a new LDAP environment to give those AD accounts two different roles. And those roles would have different AD groups mapped to them.
And the most important question: Could we leverage those roles when the user authenticates to Sharepoint so that depending on the role the user chooses, he would only get permissions in Sharepoint to those sites which has thos AD groups that belong to the role that he has chosen.
This is a bit hard to explain and to try to get even started, but any comment would be appreciated.
Currenty they are using Sharepoint 2016 with SAML authentication via ADFS.
To add more spice to the situation, SSO to Sharepoint should be working too (as it is working now) so probably the role selection should be made in some custom LDAP tool after the user has signed in to Windows.
Again, I'm not expecting answers since this seems quite complex.
Per my knowledge, the short answer is NO, when we use SAML authentication via ADFS, it's necessary to define the claim that will be used as the unique identifier of the user.
Simply put, a user should have his own unique identifier rather than two roles pointing to one user.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your quick reply!
How about if they would get rid of the ADFS between AD and Sharepoint?
Can we use SAML authentication with LDAP?
The logic behing the scenes would be something like this:
And the actual sign-in scenario would be something like this:
I would like to say to our client just NO, but unfortunately they need some explanation and I was actually interested has anyone ever implemented something like this with Sharepoint..
Per my research, there is little sample or information about this, we suggest you open a support ticket from Microsoft about it to be raised to have a dedicated Technical Professional to support you from here.
Please go to the website (https://support.microsoft.com/en-sg/help/4051701/global-customer-service-phone-numbers) to find related number and call it to create a new Phone Service Request to Microsoft Phone Support team.
are domains of these organizations located in the same forest? Is yes it is possible (with limitations: Can users in one domain be assigned to Groups in another domain if both domains are in the same Forest) add users from domain A (organization 1) to AD groups in domain B (organization 2). In this case (in theory) the same user account may access Sharepoint sites which are granted for AD groups from domain A (organization 1) and sites granted for AD groups from domain B (organization 2). It should tested of course.