Using WIF, IClaimsPrincipal only gets One Claim in RP Application even if Multiple Claims are issued by STS Application

Question

User-2040143113 posted

Hi,

I am returning 2 Claims from the STS Application (Name & Role) but RP is only showing 1 claim (Name).

FederationMetadata.xml is Issuing those two claims. What am I missing:

My STS code looks like this:

protected override IClaimsIdentity GetOutputClaimsIdentity( IClaimsPrincipal principal, RequestSecurityToken request, Scope scope )
    {
        if ( null == principal )
        {
            throw new ArgumentNullException( "principal" );
        }

        ClaimsIdentity outputIdentity = new ClaimsIdentity();

        outputIdentity.Claims.Add( new Claim( System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name ) );
        outputIdentity.Claims.Add( new Claim( ClaimTypes.Role, "Manager" ) );

        return outputIdentity;
    }

And from RP I am consuming Claims on load like this:

IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = ( IClaimsIdentity )claimsPrincipal.Identity;

But my IClaimsIdentity contains only 1 Claim.

I need to consume all the claims that are returned from STS in my RP Application.

Thanks

Answer 1

User1779161005 posted

In the RP do you have a claims authentication manager registered that's removing the claims?

Answer 2

User-2040143113 posted

I couldn't find anything like authentication manager in web.config.

Could you please let me know where to find authentication manager?

Answer 3

User1779161005 posted

Yes, it would probably be in .config. I'd suggest looking at the SAML token on the wire and inspecting what claims are really in there -- it's just XML and you shoul[d be able to capture it in your browser F12 tools as the user is redirected back from the STS to the RP.

Answer 4

User-2040143113 posted

These are the claims in SAML token:

       <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="name">

                   <saml:AttributeValue>Adam Carter</saml:AttributeValue>

        </saml:Attribute>

        <saml:Attribute AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims" AttributeName="role">

                   <saml:AttributeValue>Manager       </saml:AttributeValue>

        </saml:Attribute>

But still I am not able to fetch "Role" Values as it doesn't appear in following code on my RP:

IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = ( IClaimsIdentity )claimsPrincipal.Identity;

T

T

Answer 5

User1779161005 posted

Not sure then -- something in your WIF code could be converting/stripping the claims. You will have to debug more.

Answer 6

User-2040143113 posted

Ok...

Thanks for ur time BrockAllen