ACS not forwarding claims to RP

Question

Hi,

 I am using a custom STS and integrating via ACS to the application using WS-federation.

I want to pass on some claims which I have noted in the metadata.

What I did/found is this.

1. I generated a metadata for the IDP and im

ported into ACS. Import was succesful.

2. I mapped this IDP to a particular RP. This RP is configured to only 1 IDP, the one I mentioned above.

3. In the rule groups, I generated the default rule group for the app, and generated rules for this IDP.

4. All the claims I seek are displayed. NameIdentifier, identityprovider, name.

5. I followed the normal flow, User access app --> App redirets to ACS--> ACS to IDP--> IDP login, token generation, redirection to ACS-->ACS redirection to RP.

6. In this flow when I was going through fiddler, the claims I am pointing about are going from the IDP to ACS. But in the token from ACS to RP, this claim is not present.

I even created a custom rul to see if this gets seen, but no success.

Here is how the rule group looks like...

identityprovider	SMCHD	Passthrough "identityprovider" claim from SMCHD as "identityprovider"
<input name="IdCheckBox" type="checkbox" value="10413122" />	name	SMCHD	Passthrough "name" claim from SMCHD as "name"
<input name="IdCheckBox" type="checkbox" value="10413123" />	nameidentifier	SMCHD	Passthrough "nameidentifier" claim from SMCHD as "nameidentifier"

So I am trying to figure out what I am missing here. The necessity is that I have to add a few more claims in the token.

---

Thanks and Regards, Kanduri

Answer 1

Can you try adding a rule that passes through all claims, and see if the claims you're looking for go through?

Answer 2

Hi,

 I tried that. I created in the input any, and in output passthrough. But the claim I seek is not coming to RP.

---

Thanks and Regards, Kanduri

Answer 3

Very strange. WS-Federation on ACS is widely used, so I doubt the protocol itself is broken. Of note, ACS will not issue a token without any claims in it, so you must be getting something. What claims do you get on the output side? What types of tokens are you using? Can you post the relevant messages (partially redacted if necessary)?