Access denied managing user profiles from Tenant Administration

Hello,

I'm configuring a multi tenant Sharepoint 2010 environment.

I have a Sharepoint 2010 server in an active directory domain that represents a hosting provider. There are two more active directory domains with ADFS 2.0 installed. Each domain represents an external client.

I’ve created two web applications in Sharepoint. I’ve configured Web Applications to use claims authentication and ADFS. It works like a charm. Users in external domains can logon to the sites with their domain credentials.

I've configured muti tenancy following the steps indicated in http://www.harbar.net/articles/sp2010mt4.aspx. It works well. Concretely I've performed the following steps:

• Enable self-service site creation.
• Create subscriptions.
• Add the site collections to the subscriptions
• Create a SubscriptionSettings Service Application and Proxy
• Create the Tenant Admin Site for each site group

The problem was configuring the User Profile Application. I’m following a mix of the instructions indicated herehttp://blogs.msdn.com/b/vijgang/archive/2010/05/10/sharepoint-2010-user-profiles-steps-to-partition-the-user-profiles-service-application.aspx and herehttp://www.harbar.net/articles/sp2010mt5.aspx.
Concretely I've performed the following steps:

·         Create a partitioned UPA & Proxy.

·         Start User Profile Synchronization. It works well.

·         Assign subscriptions to the User Profile Application Proxy. After that I can see well the two tenants.

·         Create the UPA connections.

·         Assign the OUs to the subscriptions.

·         Start the synchronization. The number of profiles imported is as expected.

After this point all seems to work well. The problem is access to user profiles from the Tenant Administration site. I access well to the tenant administration site by claims authentication (using ADFS). I can, for example, create sites without any problem. However, when I click on “Manage User Profile Application”, it tries to authenticate by ADFS and an access denied message appears and it offers me to sign in as a different user.

I think the problem is that the users authenticated by claims (ADFS) cannot access the UPA. I’ve tried to assign permissions in UPA to this users, but I can’t assign permissions to claim based users in UPA. Only domain credentials are allowed.

Any idea? I’m on the final steps of this long configuration (or so I hope…), and I’m anxious to finish it.

Thanks,

Raul