The SharePoint 2010 People Picker and Claims
The SharePoint People Picker control can be used to find and select users and groups when assigning permissions to resources such as sites and lists and libraries. K2 uses the People Picker control in several areas such as permission management and task assignment. It is important to understand how the People Picker control resolves special users (i.e. All Users) and claims users. For more information, see People Picker overview: http://technet.microsoft.com/en-us/library/gg602068.aspx.
The People Picker control has two modes for resolving names. The Check Names (Ctrl+K) option tries to match the provided text against all registered providers for the web site.
When the text provided can be resolved against more than one provider, the text is underlined in red and a list of available providers is presented in a popup when the text is selected.
This works well when all the claims providers have implemented search and name resolution. However, when claims providers, such as the default SharePoint provided SPTrustedClaimProvider, do not implement search and name resolution, all queries entered in the text box are automatically displayed as if they had been resolved, regardless of whether they are valid users or groups.
The following note is taken directly from the SharePoint product documentation. For more information, see: Custom claims providers for People Picker (SharePoint Server 2010): http://technet.microsoft.com/en-us/library/gg602072.aspx
When a Web application is configured to use SAML token-based authentication, the SPTrustedClaimProvider class does not provide search functionality to the People Picker control. Any text entered in the People Picker control will automatically be displayed as if it had been resolved, regardless of whether it is a valid user, group, or claim. If your SharePoint Server 2010 solution will use SAML token-based authentication, you should plan to create a custom claims provider to implement custom search and name resolution.
It is recommended to use the Browse option when using the People Picker to ensure that the appropriate user or group is selected and assigned against the desired provider and claim.
Users
Active Directory users are typically resolved by searching on the Windows user logon name or DOMAIN\Username format. Depending on the People Picker configuration, the user may appear in the Active Directory, the Organizations, or both search results. The key is to ensure that the user selected is the one for the User: Active Directory result.
Groups
Active Directory groups are typically resolved by searching on the Windows group name or DOMAIN\GroupName format. Depending on the People Picker configuration, the group may appear in the Active Directory, the Organization or both search results. The key is to ensure that the group selected is the one for the Security Group: Active Directory result.
Users
Forms-based authenticated users are typically resolved by searching on the user logon name. Depending on the People Picker configuration, the user may appear in the Forms Auth, the Organizations, or both search results. The key is to ensure that the user selected is the one for the User: Forms Auth result.
Groups
Forms-based authentication groups are typically resolved by searching on the group name. Depending on the People Picker configuration, the group may appear in the Forms Auth, the Organizations, or both search results. The key is to ensure that the group selected is the one for the Role: Forms Auth result.
Trusted Provider based authentication provided by AD FS configured for the Active Directory attribute store users are typically resolved by searching on the DOMAIN\Username. Depending on the People Picker configuration, the user may appear in the Trusted Provider search results for each claim configured, in this example ADFS AD. The key is to ensure that the user selected is mapped to the search result for the identity claim, in this example Windows Account Name.
Trusted Provider based authentication provided by AD FS configured for the Active Directory attribute store groups are typically resolved by searching on the DOMAIN\GroupName. Depending on the People Picker configuration, the group may appear in the Trusted Provider search results for each claim configured, in this example ADFS AD. The key is to ensure that the group selected is mapped to the search result for the role claim, in this example Role.
The search text must match the text in claims provided by the trusted provider. For example, if the claim is in the format of DOMAIN\Username or DOMAIN\GroupName then the DOMAIN name must be used when executing the search. If the claim values do not contain the DOMAIN information then omit that when executing the search.
For more information on configuring AD FS for Active Directory, see Claims Supported Configurations.
Trusted Provider based authentication provided by AD FS configured for the LDAP attribute store users are typically resolved by searching on the user logon name. Depending on the People Picker configuration, the user may appear in the Trusted Provider search results for each claim configured, in this example ADFS LDAP. The key is to ensure that the user selected is mapped to the search result for the identity claim, in this example Name.
Trusted Provider based authentication provided by AD FS configured for the LDAP attribute store groups are typically resolved by searching on the group name. Depending on the People Picker configuration, the group may appear in the Trusted Provider search results for each claim configured, in this example ADFS LDAP. The key is to ensure that the group selected is mapped to the search result for the role claim, in this example Role.
The search text must match the text in claims provided by the trusted provider. For example, if the claim is in the format of DOMAIN\Username or DOMAIN\GroupName then the DOMAIN name must be used when executing the search. If the claim values do not contain the DOMAIN information then omit that when executing the search.
For more information on configuring AD FS for LDAP, see Claims Supported Configurations.
K2 does not support a concept of “All Users” for assigning tasks, interacting with tasks or assigning permissions. Built-in or configured groups for the appropriate K2 user manager, for example Domain Users for Active Directory, must be used instead.
NT Authority\Authenticated Users
- All Authenticated Users
- All Users ({WindowsProvider}), that is NT AUTHORITY\Authenticated Users
- All Users ({FormsProvider})
- All Users ({TrustedProvider})
Processes designed to utilize Runtime Participants make use of the People Picker control at runtime. The recommendations and limitations discussed in this topic apply when selecting additional participants. To remove existing participants, select the user or group from the list and click Remove as indicated below.