This problem is perplexing me. I just can't seem to get the nameidentifier claim in my c# code after the user has authenticated. This is a .Net 4.5 web forms site. The only claim I can get is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
It's easy to iterate through the claims, and there is just one available. Looking at the trace clearly there is nameidentifier coming through, however it's just not accessible in my code when iterating through ClaimsPrincipal.Current.Claims or ClaimsPrincipal.Current.Identities[].Claims.
Here is the trace example:
<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Information">
<Description>Setting Thread.CurrentPrincipal from session token.</Description>
<AppDomain>/LM/W3SVC/2/ROOT/qat-5-131009300157520403</AppDomain>
<ClaimsPrincipalTraceRecord xmlns="http://schemas.microsoft.com/2009/06/IdentityModel/ClaimsPrincipalTraceRecord">
<ClaimsPrincipal Identity.Name="Adfs">
<ClaimsIdentity Name="Adfs" Label="" RoleClaimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<Claim Type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="something"/>
<Claim Type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="Adfs"/>
<Claim Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="Adfs.email@somewhere"/>
<Claim Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"/>
<Claim Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" ValueType="http://www.w3.org/2001/XMLSchema#dateTime" Value="2016-02-26T01:53:04.289Z"/>
</ClaimsIdentity>
</ClaimsPrincipal>
</ClaimsPrincipalTraceRecord>
</TraceRecord>
My code can return the Identity and one claim for the name. But the role which contains an email address and nameidentifier are just not there. There is just one claim.
I've gone through everything. My app is just the simple single page test app. Nothing interesting, nothing configured to drop some claims or anything.
Can anyone suggest where I should look or anything that I can do to get the nameidentifier (or any other claims).
I can't understand why they are showing in the trace, but are not available in my application. I thought they would just be in one of the Claims collections available under ClaimsPrincipal.Current or in one of the ClaimsPrincipal.Current.Identities (there is just one identity matching the trace output).
Any help really appreciated I have little hair left! Thanks in advance.