search

616b2f / IdentityServer4.WsFederation

Sample for implementing WS-Federation IdP support for IdentityServer4 using ASP.NET Core
Apache License 2.0
6 stars 9 forks source link

Set OriginalIssuer claim-attribute to IdentityServer's issuer uri. #6

Closed doeringp closed 3 years ago

doeringp commented 3 years ago

I recently adapted your sample as WS-Federation signin implementation for the IdentityServer of my organization. After taking the the new release to production I had a client who complained that the claim mapping doesn't work anymore at his side.

He got this error page on client-side: image

After some investigation I realized the problem is that the attribute a:OriginalIssuer of saml:Attribute in the WS-Federation response is set to LOCAL AUTHORITY instead of the correct issuer uri of our IdentityServer. I found out that LOCAL AUTHORITY is just the default value for this attribute in the Claim class in System.Security.Claims (see this StackOverflow).

Setting the OriginalIssuer-attribute of each claim to the right issuer uri of IdentityServer solved the problem. I created this PR to share the solution with you.

Sample WS-Federation response:

Before:

<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="LOCAL AUTHORITY" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
    <saml:AttributeValue>Bob Smith</saml:AttributeValue>
</saml:Attribute>

After:

<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="http://localhost:5000" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
    <saml:AttributeValue>Bob Smith</saml:AttributeValue>
</saml:Attribute>

Why didn't this happen with the official sample for .NET Framework? Because the OriginalIssuer attribute wasn't there. It seems to be a new behavior that was introduced with the AzureAD IdentityModel library.