A customer has the following setup:

Access Manager 4.2.1
SharePoint 2013
Entities/profiles are syncronized from AD to SharePoint with the integrated FIM in SharePoint 2013 using Authentication Provider Type = Windows Authentication

I have followed this Cool Solution: https://www.netiq.com/communities/co...uthentication/

This does actually work, however there is one problem, which is known not just in the case of NAM and SharePoint, but as a general issue with SharePoint and federated logins.

When an account/entity/profile has been syncronized from AD to SharePoint, and federated login has been enabled, you can end up with 2 accounts of the same user.

The account syncronized from AD would look like this:

Account name: DOMAIN.COM\jamesh
Preferred name: James Hanson
E-Mail address: jamesh@domain.com

The second account, which is created when the user logs in with federated login for the first time, looks like this:

Account name: i:05.t|am-wsfed-isp|jamesh@domain.com
Preferred name: jamesh@domain.com
E-Mail address: empty

So it would seem like the matching that I would expect to occur when logging in with federated login, does not occur. So the user is logged in with this "federated profile", which does not have any permissions, and is actually not the correct user.

I have Googled like a maniac and other people have the same issue. Solutions goes from: You can't do anything about this, to: As long as the mapping for the claims identifier is correct, you should be good to go. The blog below talks about this and multiple people have this issue.


I have tried everything and no matter what I do, the "federated profile" is created and the user is not able to log in with the correct user.

Anyone ever had this issue?

Thanks in advance,