Reputation: 3360
SAML 2.0 claims not passing through ADFS
We have a claims aware app and use ADFS server to authenticate users that come from our partners' networks. Customers that have their own ADFS servers have no issues. Their ADFS servers send us tokens in SAML 1.0 format and all is well. We have one client that does an unsolicited SAML 2.0 post to our ADFS server. The trust relationship works, the user gets in our system, but none of the claims are coming through. All we get is this (from our app log file):
9/1/2015 7:35:44 PM: Claim type = http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod, value = urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
9/1/2015 7:35:44 PM: Claim type = http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant, value = 2015-09-01T23:35:40.194Z
Comparing SAML tokens, the formatting is drastically different. For example, there is a custom claim that comes in like this in SAML 1:
<saml:Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" AttributeName="customerguid" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="http://Absolut.vis-intel.net/adfs/services/trust">
<saml:AttributeValue>8835cf46-07a6-45f7-82d9-978905b5911f</saml:AttributeValue>
</saml:Attribute>
But theirs is coming in like this:
<saml2:Attribute Name="CustomerGuid">
<saml2:AttributeValue>b4f3dd70-ef42-4596-be76-3e3fa077d06e</saml2:AttributeValue>
</saml2:Attribute>
We're thinking maybe we need to do something with the claim rules. They looked similar to this:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/customerguid"]
=> issue(claim = c);
We added custom claim types and tried changing claim rules to use them to try and grab CustomerGuid but this made no difference:
c:[Type == "CustomerGuid"] => issue(claim = c);
Looking for any pointers on how to make this work.
Upvotes: 2
Views: 3860
Answers (1)
Reputation: 3155
This is not due to the differences in the SAML version.
When SAML attributes are posted from IDP, Attribute names are usually qualified with a name format. This name format is missing here.
You need to either request the Customer IDP to publish the claims in the required format or use your intermediary ADFS to do a transformation to the format expected by the SP / RP.
If your relying party is expecting a name format -
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/customerguid
then the SAML claims should be published by IDP in the format below:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/customerguid">
<AttributeValue>b4f3dd70-ef42-4596-be76-3e3fa077d06e</AttributeValue>
</Attribute>
For further reading please refer to this section of SAML Specification:
Upvotes: 5
Related Questions
- ADFS idpinitiatedsignon SAML assertion not signed
- ADFS 3.0 works with WS-Federation but fails with SAML
- ADFS Not Sending All Required Elements in Assertion (SP Initiated)
- Pass through incoming claims
- ADFS 2.0 simpleSAML issue: More than one claim based on SamlNameIdentifierClaimResource was produced
- InvalidNameIDPolicy working with ADFS
- ADFS as a SAML Service Provider
- Custom ADFS claim rules
- SAML IDP and WS-Federation SP with ADFS 2.0
- Claims not being passed to a Relying Party in ADFS 2.0