The nameidentifier claim doesn’t load the NameID’s value on the WSFederation application

Issue


At the upstream identify provider, we return the NameID with the value for the logged user. However, this value doesn't load at the nameidentifier claim  on the WSFederation application.

Reason


This  is down to how nameid and claims are handled by WSFed/SAML. WSFed uses the default handler of .Net:
in which it ignores NameIdentifier claim because that claim is used for NameId. However, Identify has code to customize NameId using Identity bearing claim for NameId. As a result, the NameIdentifier claim isn't used anywhere.
Meanwhile, Assertion creation for SAML2 protocol is handled by our own code which doesn't ignore the NameIdentifier claim.

Soluton


You can try one of the following to get the NameID value:

  • Use NameIdentifier claim for Identity bearing claim on the authentication connection.
  • Make the mapping claim transformation to map the NameIdentifier claim to another claim then attach it to the authentication/protocol connection.