The nameidentifier claim doesn't load the NameID's value on the WSFederation application

Issue

When an upstream user has logged in, his NameID value is returned from his upstream identify provider. However, the nameidentifier claim on the WSFederation application doesn't display this NameID value.

Reason

This is down to how nameid and claims are handled by WSFed/SAML. WSFed uses the default handler of .Net:

https://github.com/Microsoft/referencesource/blob/master/System.IdentityModel/System/IdentityModel/Tokens/Saml2SecurityTokenHandler.cs#L1139

in which it ignores NameIdentifier claim because that claim is used for NameId. However, Identify has code to customize NameId using Identity bearing claim for NameId. As a result, the NameIdentifier claim isn't used anywhere.

using Identity bearing claim for NameId

Meanwhile, Assertion creation for SAML2 protocol is handled by our own code which doesn't ignore the NameIdentifier claim.

Solution

You can try one of the following to get the NameID value:

Use NameIdentifier claim for Identity bearing claim on the authentication connection.
Make the mapping claim transformation to map the NameIdentifier claim to another claim then attach it to the authentication/protocol connection.