AndersAbel
commented
9 years ago Yes, implement a ClaimsAuthenticationManager and set it there. There is info in the documentation on how to do it.
Closed Peperud closed 6 years ago
AndersAbel
commented
9 years ago Yes, implement a ClaimsAuthenticationManager and set it there. There is info in the documentation on how to do it.
Peperud
commented
9 years ago @AndersAbel Does this still apply to OWIN? It doesn't appear to take my class... Besides...at the time it gets called to process the incoming claims, unless there's some state info passed to it, how would it go about to make the proper decision when dealing with potentially multiple IdPs?
What I seem to be going at is - doesn't it make sense to have these as settings on say the IdP configuration for Kentor and have the Kentor middleware use them instead of the defaults?
albinsunnanbo
commented
9 years ago We have it running on OWIN.
You can check the Claim.Issuer property on any of the claims to find out the IDP.
Since the ClaimsAuthenticationManager is the canonical place in Identity to "here is what you got, transform it as you like" place I don't see any obvious reason to duplicate that functionality in Authservices. Besides if you have multiple IDP:s with different claims I would suggest that you use the ClaimsAuthenticationManager to map the incoming claims to a common set of claims that you use in the application.
AndersAbel
commented
9 years ago @Peperud Yes, it still applies to Owin, but if you're using code-based configuration (with new KentorAuthServicesAuthenticationOptions(false)) you should set the ClaimsAuthenticationManager in the code too, not in the config file. The docs are a bit outdated on that.
AndersAbel
commented
9 years ago @Peperud I just updated the documentation with how to do it in code with OWIN.
Peperud
commented
9 years ago @AndersAbel Thanks, that did it.
@albinsunnanbo Yes, I understand that and it does makes sense. I can also grab all the claims in IdSrv after Kentor and then map them to whatever I want. I wasn't talking about about transforming any claims in general though, but rather addressing the very specific case of "user name" (and "role"). Just in the way it can be set in the <samlSecurityTokenRequirement>, except instead of being one setting for the whole system, it would be one per IdP.
Just a thought...
ckouroupis
commented
9 years ago Hi @AndersAbel, Firstly, thank you very much for bringing Kentor.AuthServices into the .Net community!!
I agree with @Peperud in that it would be nice to make NameClaimType and RoleClaimType configurable on the IdentityProvider level. It is the party hosting the IdP who will govern which attribute contains the "Name" claim and it makes sense to configure it in the IdentityProvider.
AndersAbel
commented
6 years ago Old issue without recent activity, closing.
npnm
commented
2 years ago Yes, implement a
ClaimsAuthenticationManagerand set it there. There is info in the documentation on how to do it.
I am trying to upgrade one .Net framework library to .Net core which is using Saml2 auth v1. In that library 'spOptions.SystemIdentityModelIdentityConfiguration.ClaimsAuthenticationManager' was using to perform some transformation logic in claim. Like adding/modifying the claim. As 'SystemIdentityModelIdentityConfiguration' property is now not available in 'SPOptions' class in v2 version of Saml2, where I can place that claim transformation logic? In v2, is there any way to do it? Any thoughts?
Is there a way in Kentor middleware to specify/configure NameClaimType (and RoleClaimType)?