Closed sortling closed 8 years ago
yea that makes sense.
Another approach would be to implement what is proposed here
https://github.com/IdentityServer/IdentityServer3.WsFederation/pull/54
But as a quick fix we could add the "unspecified". Want to send a PR?
PR for a quick fix sent. Was there a specific reason to not create the claims for the AuthnStatement for non-password authentication methods?
merged - will release later.
Thanks!
Hello,
we are using IdentityServer3 with the WS-Federation Plugin as a Claims Provider Trust for AD FS, AD FS acts as the SAML2 IDP for a Shibboleth-SP. Local login with username and password works fine. We've been trying to add an external authentication via AusweisApp2/nPa, but the resulting SAML2 delivered to the Shibboleth-SP is missing an AuthnStatement element and creating a Shibboleth session fails.
After some research I think the reason is that the necessary claims are only added in the SignInResponseGenerator if the AuthenticationMethod is "password", see line 180 in WsFederationPlugin\ResponseHandling\SignInResponseGenerator.cs:
Arbitrary values for ClaimTypes.AuthenticationMethod seem to trouble either AD FS or shibboleth, I would suggest AuthenticationMethods.Unspecified for anything not password: