ASP.Net and WIF only one claim available but other claims are showing in the trace

0
votes

This problem is perplexing me. I just can't seem to get the nameidentifier claim in my c# code after the user has authenticated. This is a .Net 4.5 web forms site. The only claim I can get is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

It's easy to iterate through the claims, and there is just one available. Looking at the trace clearly there is nameidentifier coming through, however it's just not accessible in my code when iterating through ClaimsPrincipal.Current.Claims or ClaimsPrincipal.Current.Identities[].Claims.

Here is the trace example:

<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Information">
<Description>Setting Thread.CurrentPrincipal from session token.</Description>
<AppDomain>/LM/W3SVC/2/ROOT/qat-5-131009300157520403</AppDomain>
<ClaimsPrincipalTraceRecord xmlns="http://schemas.microsoft.com/2009/06/IdentityModel/ClaimsPrincipalTraceRecord">
<ClaimsPrincipal Identity.Name="Adfs">
<ClaimsIdentity Name="Adfs" Label="" RoleClaimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<Claim Type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="something"/>
<Claim Type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="Adfs"/>
<Claim Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="Adfs.email@somewhere"/>
<Claim Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" ValueType="http://www.w3.org/2001/XMLSchema#string" Value="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"/>
<Claim Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" ValueType="http://www.w3.org/2001/XMLSchema#dateTime" Value="2016-02-26T01:53:04.289Z"/>
</ClaimsIdentity>
</ClaimsPrincipal>
</ClaimsPrincipalTraceRecord>
</TraceRecord>

My code can return the Identity and one claim for the name. But the role which contains an email address and nameidentifier are just not there. There is just one claim.

I've gone through everything. My app is just the simple single page test app. Nothing interesting, nothing configured to drop some claims or anything.

Can anyone suggest where I should look or anything that I can do to get the nameidentifier (or any other claims).

I can't understand why they are showing in the trace, but are not available in my application. I thought they would just be in one of the Claims collections available under ClaimsPrincipal.Current or in one of the ClaimsPrincipal.Current.Identities (there is just one identity matching the trace output).

Any help really appreciated I have little hair left! Thanks in advance.

1
asp.netwifclaims-based-identity
What do your ADFS claims rules look like?rbrayb
Hi, where would I find those? All I am configuring is the web.config which has the three claims listed there uncommented but those are not used by the WIF framework I understand they are just there for the fedutil tool. The info in the tracerecord above shows what is being sent. I am not sure if ADFS is the authentication server as it may be something else.Action Dan
From the trace <ClaimsPrincipal Identity.Name="Adfs">. You'd need to look on the ADFS side. Also your claims look wrong e.g. Adfs.email@somewhere is not a role it's an email address.rbrayb
Hi, I am using customer data so I have replaced the email with somewhere to mask the actual email address, which is correct. I am not an expert which is why I am asking the question - surely for the trace to give me the above claims, then it must be configured correctly already? I've gone back to the customer to have them double check and they are confident those claims are being sent, and from the above trace it looks to me as if they are. Your help is really appreciated.Action Dan
I answered my own question. Thanks to nzpcmad who alluded to the fact that the claims are not standard ones and that's partly why they were not showing using my code.Action Dan

1 Answers

1
votes

I will be answering my own question. I don't have much hair left after this. The problem is possibly going to catch others out.

When using the below to access the ClaimsPrincipal, I was using the System.IdentityModel namespace. This was giving me only one claim. Although with WIF tracing enabled I could see many more claims being provided to my application.

using System.IdentityModel;
...
ClaimsPrincipal claimsPrincipal = ClaimsPrincipal.Current;

The solution was just to use the following instead:

using Microsoft.IdentityModel.Claims;
...
IClaimsPrincipal claimsPrincipal = (IClaimsPrincipal)Thread.CurrentPrincipal;

Then, suddenly all the other claims were available. On discovering this I have researched a little and found a few stack overflow articles about the differences between these two. One guy mentioned here that the Microsoft namespace is for extensions to the standard namespace that deal with Microsoft features and would explain this. Also this answer makes the most sense to me about this as well.