Reputation:
Can you return only the nameidentifier claim via WIF
I’m working on a project to create a security web application and STS using WIF and everything is working correctly except for in an instance where I want to return only the nameidentifier for an identity.
In this instance, I get the following SamlAssertion error:
“A SamlAssertion requires at least one statement”
Now here’s the odd bit – I’m using the standard xmlsoap schema definition for nameidentifier (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) and it’s only when just this claim is sent that the error occurs.
If I send (for example) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email or one I’ve made up, it all works – it even works if you change the casing on the nameidentifier claim (works with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameIdentifier)!
Is it possible that nameidentifier is a keyword in SAML or WIF and therefore cannot be the only claim sent across? WIF clearly allows a single claim to be sent, just not the nameidentifier on its own.
Upvotes: 0
Views: 769
Answers (2)
Reputation: 8141
Is it possible that nameidentifier is a keyword in SAML or WIF
Yes. In SAML token formats, you have a separate subject concept (something that uniquely identifies the entity) and attribute concept (information about the entity).
The WIF model represents all of this stuff as claims. Most claims are mapped to SAML Attributes when you write them to a SAML token, however nameidentifier is special and it gets written as a Subject.
But it looks like you're producing a SAML token with an AttributeStatement that's completely empty. Can you confirm? Are you using any kind of custom token handler?
I'm not certain, but I presume that by default when WIF encounters a ClaimsIdentity with just a nameidentifier claim, it should be writing this claim as a SAML Subject under both the AuthenticationStatement as well as the AttributeStatement, so the error you're getting shouldn't occur.
Upvotes: 0
Reputation: 48250
Personally I've never used the NameIdentifier claim. The user name should be passed using the Name type (the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name).
I confirm your observation - you can't have the NameIdentifier (whatever it is) as a sole claim but you CAN of course have the Name as the sole claim.
Upvotes: 0
Related Questions
- What is the purpose of nameidentifier claim?
- ASP.Net and WIF only one claim available but other claims are showing in the trace
- How To Remove ClaimsIdentity From ClaimsPrincipal
- .NET 4.5 Claims Identity Model
- Can WSO2 Identify Server send back the email address in the NameID of a SAML response?
- Replace FormsAuthentication with SessionAuthenticationModule (SAM) to make Claims Aware identity
- WIF: How to specify which claims to return upon authentication?
- NameClaimType in ClaimsIdentity from SAML
- WIF: Custom Claims
- What is the best way to modify Claims at Relying Party when using Windows Identity Foundation