I am attempting to understand the world of WIF in context of a WCF Data Service / REST / OData server. I have a hacked up version of SelfSTS that is running inside a unit test project. When the unit tests start, it kicks off a WCF service, which generates my SAML token. This is the SAML token being generated:
<saml:Assertion MajorVersion="1" MinorVersion="1" ... >
<saml:Conditions>...</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="EMAIL">4bd406bf-0cf0-4dc4-8e49-57336a479ad2</saml:NameIdentifier>
<saml:SubjectConfirmation>...</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>bob</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature>...</ds:Signature>
</saml:Assertion>
(I know the Format of my NameIdentifier isn't really EMAIL, this is something I haven't gotten to cleaning up yet.)
Inside my actual server, I put some code borrowed from Pablo Cabraro / Cibrax. This code seems to run A-OK, although I confess that I don't understand what's happening. I note that later in my code, when I need to check my identity, Thread.CurrentPrincipal.Identity
is an instance of Microsoft.IdentityModel.Claims.ClaimsIdentity
, which has a claim for all the attributes, plus a nameidentifier claim with the value in my NameIdentifier element in saml:Subject. It also has a property NameClaimType
, which points to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name". It would make more sense if NameClaimType
mapped to nameidentifier, wouldn't it? How do I make that happen? Or am I expecting the wrong thing of the name claim?
Thanks!
The value of the NameClaimType can be specified in the Web.config, allowing you to make it whatever you find most fitting to use as IIdentity.Name.
http://msdn.microsoft.com/en-us/library/system.security.claims.claimsidentity.nameclaimtype.aspx says
The NameClaimType property specifies the claim type (Claim.Type) that is used to provide the name for this identity. The name is accessed through the Name property.
And http://msdn.microsoft.com/en-us/library/ee517298.aspx states
ClaimsIdentity.NameClaimType. The NameClaimType property is intended to be used on the receiving side to choose which claim value is used for IIdentity.Name.
That is to say, it allows the Name property to represent whatever makes the most sense in a given situation - that might often be having it be nameidentifier claim type, though it in your case is set to be name.