Configuring SAML Assertion Subject Name and Format for a WIF STS

  • Article

In some interop scenarios, subject name and its format needs to be included in the Saml token/assertion generated by the STS. You can easily configure a WIF based STS to generate this by adding a NameIdentifier claim and by settings it’s format property.

protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal,

    RequestSecurityToken request, Scope scope)

{

    var nameIdentifierClaim = new Claim(ClaimTypes.NameIdentifier, "me@zamd.com");

    nameIdentifierClaim.Properties[ClaimProperties.SamlNameIdentifierFormat] = "EMAIL";

    return new ClaimsIdentity(

        new Claim[]

        {

            new Claim(System.IdentityModel.Claims.ClaimTypes.Name, "Zulfiqar"),

            nameIdentifierClaim

        });

This generates following Saml Assertion where you can see the generated NameIdentifier & format attribute.

 <saml:AttributeStatement
  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Subject>
    <saml:NameIdentifier Format="EMAIL">
      me@zamd.com
    </saml:NameIdentifier>
    <saml:SubjectConfirmation>
      <saml:ConfirmationMethod>
        urn:oasis:names:tc:SAML:1.0:cm:bearer
      </saml:ConfirmationMethod>
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Attribute AttributeName="name" AttributeNamespace=
                  "https://schemas.xmlsoap.org/ws/2005/05/identity/claims">
    <saml:AttributeValue>Zulfiqar</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

Originally posted by Zulfiqar Ahmed on 27 April 2010 here https://zuahmed.wordpress.com/2010/04/27/configuring-saml-assertion-subject-name-and-format-for-a-wif-sts/