Using LDAPCP with a federated login, authorization problem

[henrik-s-johansson]

Many thanks for providing LDAPCP. We would like to understand if LDAPCP can be used for this use case as we have been struggling a bit and we seem to fall short in getting this to work as per our requirements.

We would like to establish two SharePoint 2019 on-prem web applications in a separate IT-infrastructure with a separate AD (out-of-band sync of accounts/groups). Users will be authenticated via an IdP. For security reasons we would like to limit usage to specific AD security groups.

We would like to have these AD security groups:
WebApp1Owners : Only users in this AD group shall be able to create sites on WebApp1
WebApp1Users : It shall only be possible to invite users with this AD group to a site on WebApp1 – consequently only these users shall be available in the people picker
WebApp2Owners : Only users in this AD group shall be able to create sites on WebApp2
WebApp2Users : It shall only be possible to invite users with this AD group to a site on WebApp2 – consequently only these users shall be available in the people picker

We have successfully configured the authentication and the claim mapping so users can login to Sharepoint
but we're still facing issues when SharePoint need to resolve group membership in the AD security groups.
We are also unable to configure the people picker so it also shows users according to the selected groups.

We did try to supply the AD groups for the user in the token but that didn't work out either.

So, is there anybody in this forum that could verify that LDAPCP SE is capable of this or should we go for something else?

Thanks in advance!

[Yvand]

Meeting your requirements is not possible without customizing LDAPCP, by inheriting the LDAPCP base class to create your own custom claims provider and implements your needs.
Doing this is possible, but requires good knowledge on SharePoint solution development. Are you willing to do this?