Configuring SAML Assertion Subject Name and Format for a WIF STS




In some interop scenarios, subject name and its format needs to be included in the Saml token/assertion generated by the STS. You can easily configure a WIF based STS to generate this by adding a NameIdentifier claim and by settings it’s format property.


protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal,

    RequestSecurityToken request, Scope scope)

{

    var nameIdentifierClaim = new Claim(ClaimTypes.NameIdentifier, “me@zamd.com”);

    nameIdentifierClaim.Properties[ClaimProperties.SamlNameIdentifierFormat] = “EMAIL”;

    return new ClaimsIdentity(

        new Claim[]

        {

            new Claim(System.IdentityModel.Claims.ClaimTypes.Name, “Zulfiqar”),

            nameIdentifierClaim

        });

This generates following Saml Assertion where you can see the generated NameIdentifier & format attribute.

<saml:AttributeStatement
xmlns:saml=urn:oasis:names:tc:SAML:1.0:assertion>
<
saml:Subject>
<
saml:NameIdentifier Format=EMAIL>
me@zamd.com
</saml:NameIdentifier>
<
saml:SubjectConfirmation>
<
saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</
saml:SubjectConfirmation>
</
saml:Subject>
<
saml:Attribute AttributeName=nameAttributeNamespace=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims>
<
saml:AttributeValue>Zulfiqar</saml:AttributeValue>
</
saml:Attribute>
</
saml:AttributeStatement>

Originally posted by Zulfiqar Ahmed on 27 April 2010 here http://zuahmed.wordpress.com/2010/04/27/configuring-saml-assertion-subject-name-and-format-for-a-wif-sts/

Comments (0)