Can you return only the nameidentifier claim via WIF

0
votes

I’m working on a project to create a security web application and STS using WIF and everything is working correctly except for in an instance where I want to return only the nameidentifier for an identity.

In this instance, I get the following SamlAssertion error: “A SamlAssertion requires at least one statement”

Now here’s the odd bit – I’m using the standard xmlsoap schema definition for nameidentifier (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) and it’s only when just this claim is sent that the error occurs.

If I send (for example) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email or one I’ve made up, it all works – it even works if you change the casing on the nameidentifier claim (works with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameIdentifier)!

Is it possible that nameidentifier is a keyword in SAML or WIF and therefore cannot be the only claim sent across? WIF clearly allows a single claim to be sent, just not the nameidentifier on its own.

2
asp.netwifsaml

2 Answers

0
votes

Is it possible that nameidentifier is a keyword in SAML or WIF

Yes. In SAML token formats, you have a separate subject concept (something that uniquely identifies the entity) and attribute concept (information about the entity).

The WIF model represents all of this stuff as claims. Most claims are mapped to SAML Attributes when you write them to a SAML token, however nameidentifier is special and it gets written as a Subject.

But it looks like you're producing a SAML token with an AttributeStatement that's completely empty. Can you confirm? Are you using any kind of custom token handler?

I'm not certain, but I presume that by default when WIF encounters a ClaimsIdentity with just a nameidentifier claim, it should be writing this claim as a SAML Subject under both the AuthenticationStatement as well as the AttributeStatement, so the error you're getting shouldn't occur.

0
votes

Personally I've never used the NameIdentifier claim. The user name should be passed using the Name type (the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name).

I confirm your observation - you can't have the NameIdentifier (whatever it is) as a sole claim but you CAN of course have the Name as the sole claim.