I have a web application where in the Internet zone I have one custom Trusted Identity Provider defined (this is the only authentication provider for this zone) called "ADFS authentication provider". In ADFS, we have one relying party trust defined with that Sharepoint web application. Also in ADFS, we have two claim provider trusts define:
- one with AD (default ADFS claim provider)
- one with an external identity provider
The users are able to log in via the ADFS login page using both authentication providers so this part is working fine. However, when I go to Central Admin, select that zone, click Add User (to assign some permissions) go to People Picker and click
on the Browse icon, I get the following error message
"An error has occurred in the claims provider configured from this site collection"
I can still type in the username and click the checkmark icon but then I get "no exact match was found". I can then right-click that username
<smith> [ADFS authentication provider]
<smith> [ADFS authentication provider]
That is, the exact same username with the exact same authentication provider shows up twice.
In the Sharepoint log file I see the following message:
An exception occurred in ADFS Authentication Provider claim provider when calling SPClaimProvider.FillHierarchy(): An item with the same key has already been added
So, it looks like Sharepoint is adding the same authentication provider twice. Where is this duplicate coming from? I know that Sharepoint has been configured to trust ADFS (trust name is "ADFS authentication provider" and in ADFS there are two claim provider trusts (one with AD and one with an external identity provider). So is Sharepoint detecting that there are 2 identity providers in ADFS? I doubt it but I can't figure out what's causing this duplicate.
More info:
After some further investigation, I figured out why there was a duplicate. Initially, when I ran the powershell commands to create a trusted identity token issuer, I specified two claims, like this:
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "EmailAddress" –LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$emailClaimMapAD = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddressAD" -SameAsIncoming
Later on I realized that this was not correct, I removed this trusted identity token issuer and ran the powershell commands again but this time I only had one claim:
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "EmailAddress" –LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
However, it looks like that old extra mapping EmailAddressAD is still somewhere in Sharepoint and that's what's causing the duplicate entries. I figured it out because when I saw the duplicate entries in people picker and actually select one of the entries and then the other one, one of them said "EmailAddress" when I hovered my mouse over it and the other one said "EmailAddressAD".
The question is: how do I remove that EmailAddressAD? I don't want it anymore? Is this information about the claims stored in the content or configuration database? If it's in the content database, I guess I could restore it from backup from before I created this trusted identity token issuer.
thanks,
![Alice In Chains – Sap – EP [iTunes Plus M4A]](http://is1-ssl.mzstatic.com/image/thumb/Music/47/35/c7/mzi.ljwsgbez.jpg/592x592bb.webp)
![Chad Lawson – Awakening: The Stillness Within (2026) [FLAC 24bit/48kHz]](http://imghd.xyz/images/2026/05/09/x5d03jw9bi367_600.jpg)
