ADFS does not pass NameID

5
votes

Here is the way authentication is set up. - Client Browser sends the request (URL below) to client's ADFS server, - Client ADFS then look at the nested relay state and forward the request to our ADFS server. - Our ADFS look at the request and send the request to our APP.

URL is here.

https://clientadfs.clientdomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%3A%2F%2ouradfs.ourdomain.com%2Fadfs%2Fls%2F%26RelayState%3DRPID%3Dhttps%3A%2F%2ourapp.ourdomain.com%2Fvaruna%2Fconsole%2Fsso.aspx%3FsamISso%26lang%3Den_CA

The request produces a blank page with no error on the ADFS server.

I got the fiddler trace the client. Client uses users' email address to identify the users. I can see in the SAML token sent to Client's ADFS has this email address. This SAML token goes to our ADFS server and I see the SAML response that come out of our ADFS server. This however does not have the user email address. I think that is the problem.

On our ADFS server, I have this Client's claim (on Claims Provider Trust) to handle user ID (which is their email):

Claim Rule name: Email Incoming Claim type: Name ID Incoming Name ID format: Email Outgoing Name ID format: Email Pass through all claim values.

Here is the claim in Claim Rule Language

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
 => issue(Type = "Email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

On client's ADFS config, this is their email/Userid configuration:

IssuanceTransformRules               : @RuleTemplate = "LdapClaims"
                                       @RuleName = "Pass email"
                                       c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccou
                                       ntname", Issuer == "AD AUTHORITY"]
                                        => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/20
                                       05/05/identity/claims/nameidentifier"), query = ";mail;{0}", param = c.Value);

I have no idea what I am doing wrong. Can anyone spot my issue? or can you suggest where I should look at?

Thanks for your help!

  • RM
1
adfs2.0

1 Answers

4
votes

"to handle user ID (which is their email)"

So is the SAML assertion an assertion for a type of email or for a type of userID? i.e. what is the assertion name for this attribute.

On the ADFS side. to transform an email claim it expects a type of "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Update

You need to transform NameId to email. NameId also has an "Incoming name ID format" which I'm guessing is "email". You need to verify this in the SAML metadata.

So your claim rule should look like:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Update 1

ADFS supports:

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

so the format can either be emailAddress, persistent or transient.

Try the Transform rule with all three formats and see.

Also, what claims is your application getting? You can dump them out via How to: Access Claims in an ASP.NET Page.