Is there a way to get the Subject/NameId element from an assertion

[martinjt]

is this set against anything in the ClaimsIdentity? I was expecting it to the "Actor" of the ClaimsIdentity. I'm no expert on SAML, or claims authentication, and I know that under the hood it's using the Saml2SecurityTokenHandler, so maybe it's a bug in my ADFS response?

here's the subject node...

 <Subject>
   <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">DOMAIN\testuser</NameID> 
 <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
   <SubjectConfirmationData NotOnOrAfter="2015-04-05T19:12:27.395Z" Recipient="https://testdomain.com/CustomSSO.aspx" /> 
   </SubjectConfirmation>
 </Subject>

[albinsunnanbo]

It looks like your response is missing XML Namespaces. Compare with https://github.com/KentorIT/authservices/blob/master/Kentor.AuthServices.Tests/WebSSO/AcsCommandTests.cs#L97 and http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertions

[martinjt]

@albinsunnanbo the segment I've shown is what is provided from ADFS, I don't have control of the namespaces. I suppose what we're saying is that Kentor can't support putting the Actor as the NameID when it comes from ADFS?

[albinsunnanbo]

It looks like namespace qualifiers are optional. I have never used AuthServices without the qualifiers so I'm not sure if it actually works or not. You could clone the Saml2Response_GetClaims_CreateIdentities test and try to strip the qualifiers and see what happens. Give the test a sensible name and submit a pull request.

[AndersAbel]

The subject nameid should be available as a Claim if you enumerate the claims collection on the returned identity (you might have to cast it to ClaimsIdentity if it is typed as IIdentity)

If it isn't there, please provide some more details and I'll change the label to "bug". There is a similar question on Stack Overflow indicating something might be missing, but I haven't got any details there yet.

[explunit]

@martinjt I'm also using ADFS and I extract the Subject/NameID like this:

var claims = response.GetClaims( kentorOptions );
var principal = new ClaimsPrincipal( claims );
var idClaim = principal.Claims.FirstOrDefault( claim => claim.Type == ClaimTypes.NameIdentifier );
var userId = idClaim.Value

[martinjt]

@AndersAbel Thanks, I'll take a look at that and see if it works, I assume it's a similar approach to @explunit which I'll try as well.

[martinjt]

I've verified this and it does work using @explunit 's solution. However, can you explain what the "Actor" on a claimsprinicipal is in relation to SAML. I would have thought that it was the NameId....

[albinsunnanbo]

The reference source for ClaimsIdentity.cs:394 indicates that actor is used for delegation.