7

OK, so I'm quite new to the whole world of claims aware applications. I was able to get up and running very quickly using Azure ACS but it's been a bit of a different story when trying to use ADFS 2.0 as the identity provider (I want to actually use it as a federated provider, but for the time being I'm just trying to get a sample running using it as an identity provider).

I've been looking at the guides here and have tried to follow the AD FS 2.0 Federation with a WIF Application Step-by-Step Guide guide listed there. It takes you through setting up ADFS 2.0 along with a little claims aware sample application that you can use just to view the claims that are getting sent through.

So I can get that up and running, passing through the claims defined in the guide (just the windows account name). The problem is when I try to add any more. I can go to the relying party application in the ADFS GUI and add an Issuance Transform Rule, using the Pass Through or Filter Incoming Claim rule template. However, when I run my application, unless the added claim type is Name, it won't pass the claim through to my application.

One of the ones that I wanted passed through was the email address for the user who logged in to the application. So I added a rule to pass through the email address, then updated the web.config of the sample application to uncomment this line under the claimTypeRequired section:

<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" />

Note that I'm setting it as non-optional. I also updated the federation metadata of the application to add in the following:

<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="false" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />

I then went into the ADFS GUI, went to the Relying Party Trusts and selected Update from Federation Metadata on my sample application. So it now lists the email as one of the accepted claims.

I then went into the Claims Provider Trusts and added the email claim rule into the Acceptance Transform Rules for the Active Directory provider trust (the only one listed).

When I run the app however, it's not passing through the email claim (or any others that I try). Can somebody tell me what I'm missing here?

I should also note, I ran a test to change my application to only accept the email claim rule, and not only did it not pass through the email, but it's still passing through the Windows Account Name and the Name claims, despite the fact that I don't even list them as accepted claims for my application.

If anybody could point out where I'm going drastically wrong here, it would be seriously appreciated.

After enabling logging as per the blog post before, here are the relevant entries from the log: TraceRecord Event ID 1000, "Input claims of calling principal included in details": Input claims log entry

So you can see, the information that I'm requesting is quite clearly missing. I have the logging output set to verbose but there's really nothing of any other interest. You'll see trace records for the NETWORK SERVICE user (with the same set of claims), but nothing striking. All the log entries are informational, there aren't any errors.

jacderida
  • 565
  • 1
  • 4
  • 14
  • AD FS 2.0 (which itself is based on WIF) has several log and trace options; see [blog post "Diagnostics in AD FS 2.0"](http://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx) for more details. – MarnixKlooster ReinstateMonica Jul 29 '11 at 19:43
  • Thanks Marnix, I've now switched on verbose logging, and I'll edit my Question to provide the logging output. – jacderida Aug 01 '11 at 09:00
  • Did you ever solve this problem? I am running into a similar issue where my LDAP claims are not coming over at all. –  Oct 28 '16 at 14:50

2 Answers2

4

If you using ADFS as Identity Provider and want it to issue an email claim, then you have to use Send LDAP Attributes as Claims or a Custom Claim Rule which access AD as the attribute store and issues an email claim. Pass through is used on the incoming claims, assuming the user is already authenticated somewhere. In case of Windows Authentication Windows account name is issued from the Kerberos token and that's why you have to pass it through, but others you have to issue.

Eugene S.
  • 3,256
  • 1
  • 25
  • 36
2

Does Active Directory issue E-Mail Address claims? I'm not sure how to check this, but if it doesn't, it's irrelevant that you're passing them through. In this case, you'll want to try a "Send LDAP Attributes as Claims" rule; based on what I see in my ADFS instance, try mapping the "E-Mail-Addresses" attribute to an "E-Mail Address" claim.

I had to do something similar to get UPN claims to come over, in circumstances similar to yours. I'm not sure whether it will matter that the LDAP attribute is potentially plural.

aschoonmaker
  • 121
  • 2
  • When you run FedUtil in studio to add an STS reference, when you point it towards the STS (ADFS 2.0 in this case), it writes the list of claims that the STS issues into your web.config, and email address is definitely one of them. So I'm not really sure what you mean when you're saying it's "irrelevant"... – jacderida Jul 30 '11 at 18:05
  • 1
    I tried this now that I'm at work, and it does pass through the email address when you use that LDAP rule, but I still don't really understand why. Also, still don't understand why it's passing me through claims that I'm not interested in. – jacderida Aug 01 '11 at 11:58
  • To clarify, I'm not sure why the email address wouldn't come through when you use "Pass Through or Filter an Incoming Claim". I've noticed in the logs that requests seem to come in from the NETWORK SERVICE user before the E-GAEL2\chriso user. Are the claims in that request considered the 'incoming' set? – jacderida Aug 01 '11 at 12:30
  • My understanding of things is that Active Directory does not issue E-mail Address claims. Adding the rule to pass an LDAP attribute as a claim takes something that Active Directory does have (and LDAP attribute) and ADFS converts it into what you want (an E-Mail Address claim). – aschoonmaker Aug 01 '11 at 20:50
  • As for why "Name" and "Windows Account Name" would still be sent, I do not know, unless you have Issuance Transform rules in your Relying Party's information in ADFS that produce or pass through such claims. – aschoonmaker Aug 01 '11 at 20:59