The People Picker control is a central component in Microsoft SharePoint Server that is used to search and select users and groups when a resource owner assigns permissions. By default, when a SharePoint web application is configured to use SAML token-based authentication or “SAML claims”, all queries entered in the People Picker are automatically displayed as if they had been resolved, regardless of whether they are valid users or groups. This poses a significant usability problem for SharePoint users and administrators, particularly in collaboration-oriented deployments where potentially every user has the ability to edit file and library permissions using the People Picker.
To address this issue, Microsoft recommends you build a custom claims provider to provide capabilities for custom search and name resolution. The Ping Identity Custom Claims Provider for SharePoint is an implementation capable of connecting to one or more LDAP user stores or domains to fulfill search and name resolution queries.
When this custom claims provider is associated with a Trusted Login Provider (referred to in the Management Shell as a Trusted Identity Token Issuer) in SharePoint, such as might be configured to accept inbound SAML claims from PingFederate for one or more SharePoint web applications, the People Picker will provide functionality similar to that seen with classic-mode authentication where users and groups in Active Directory are available for search, name resolution, and attribute listing.