Reputation: 6233
Which ADFS claim maps to Identity.Name by default?
Did ADFS change recently with respect to how the upn gets mapped to User.Identity.Name in ASP.NET?
What I know:
- ASP.NET web app that authenticates externally via ADFS
- test environment worked OK with no outgoing
Nameclaim defined in ADFS a few months ago - test environment was fired up recently and ADFS login failed. ADFS server did not have any configuration changes
- issue is that
User.Identity.Nameisnulleven thoughRequest.IsAuthenticatedistrue - root cause is that there is no
Nameclaim and there appears to be no explicit mapping in web.config to useupnfor this
From Microsoft:
https://msdn.microsoft.com/en-us/library/mt740689(v=vs.85).aspx
When you pass a valid security token to the AD FS Web Agent, it creates an session cookie and processes the token's claims into the session's User object. This object is derived from IPrincipal, and exposes one method, IsInRole(), with which you can query the User and determine whether that user asserts the specified role claim (using a string to specify the role).
IPrincipal also exposes one property, Identity, which returns the user's identity, represented as an IIdentity object. This object can be used by the default.aspx page to determine whether the User is authenticated (by calling IsAuthenticated(). It also allows you to determine whether the user is asserting a name claim by accessing the Name property, which returns a string representing the User's name. The snippet here illustrates the use of both of these techniques.
I have questions about this that I can't find in Microsoft docs:
- What specifically is meant (as in: which xml attribute or specific ADFS claim string) by "the user is asserting a name claim" ? (it is ambiguous: is it "name" claim? because it reads more like "name claim" where "name" could be loosely defined as user name, and often
upnis used for this, and was working in the past) - What is the exact logic used by .NET for setting
User.Identity.Namewhen using configuration-based identity with ADFS (defined in web.config)?
Upvotes: 1
Views: 1082
Answers (1)
Reputation: 826
AFAIK, this "Name" logic did not change in the latest versions of the framework.
As explained here for instance, by default the claim type used to populate the Identity.Name property has always been:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
So if your SAML token contains such claim, it will be used as the "name" of the user (it is up to you to decide which AD attribute you want to put in this claim: userPrincipalName, displayName, mail, ...).
This default attribute can be overriden in code, or in your web.config. This page mentions a "<nameClaimType />" element, honestly I don't remember if it has changed in the meantime.
a
Note: your link is really old. The "ADFS Web Agent" was something from the first version of ADFS, but it was rapidely superseded by WIF.
Upvotes: 1
Related Questions
- IdentityServer 4 and ADFS
- ADFS 2.0 httpcontext.current.user.identity.name is empty
- IdentityServer and ADFS
- How to retrieve claims from ADFS (Active Directory Federation Services)
- Asp.net mvc 5; Where to add custom claims? (adfs login)
- Retrieving User ID claim from ADFS
- UserName when using ADFS
- How to use ADFS 2.0 with asp mvc 4
- ASP.NET Added Claims are Missing
- Non-claims-enabled ASP.NET applications and ADFS v2.0