ADFS with ASP.NET 4.5 and WIF Override NameClaimType

Question

I am attempting to get ADFS working with ASP.NET 4.5.2 and multiple domains. As long as the ADFS server transforms the claim from "upn" to "name", everything functions correctly. However that is not possible with multiple AD forests, so I must perform the transform on the Web Server. Using this Web.Config entry is supposed to force that transform.

<securityTokenHandlers>
    <add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
      <samlSecurityTokenRequirement>
        <nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />
      </samlSecurityTokenRequirement>
    </add>
  </securityTokenHandlers>

When I debug I find that Thread.CurrentPrincipal.Identity.NameClaimType is still set to the default http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

It would be useful if I could determine in C# what active SecurityTokenHandler is being used.

The documentation for ADFS is inconsistent. What am I missing here?

I would capture events and get into more details. Refer to msdn.microsoft.com/en-us/library/… — Dhanuka777
You can have a local claims authentication manager that fires upon token resolution and there you rewrite claims according to your needs once. — Wiktor Zychla
That documentation references .NET 3.5 which is completely different. — user306031

user306031 user306031 · Accepted Answer · 2015-12-09T17:21:46

The issue was that in our test environment ADFS was configured to return SAML 2.0 tokens and in production SAML 1.1 tokens. So the configuration for Saml2SecurityTokenHandler was not even firing.

I discovered the issue by trying to configure SamlSecurityTokenHandler and the transform was successful.

ADFS with ASP.NET 4.5 and WIF Override NameClaimType

1 Answers