{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 The star\" 的问题《How to set the NameClaimType in an ASP.Net MVC 5 s》','https://www.manongdao.com/q-590511.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've created an ASP.Net MVC 5 site using Microsoft's "On-Premises" Organization Account Authentication mechanism. This is ultimately configured to point to my companies ADFS infrastructure. I'm getting back all the configured claims. However, at runtime, the ClaimsIdentity.Name is blank. This is because the ClaimsIdentity.NameClaimType, by default, appears to be:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
However, I want the ClaimsIdentity.Name to me mapped to:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
According to Microsoft Docs, the place to set this in web.config is within the Add element of the securityTokenHandlers element:
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<add>
<samlSecurityTokenRequirement>
<nameClaimType value=xs:string>
</nameClaimType>
</samlSecurityTokenRequirement>
</add>
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
In my ASP.Net MVC 5 web.config, the only thing that looks applicable, and passes intellisense checks ends up looking like this:
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
<samlSecurityTokenRequirement>
<nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"/>
</samlSecurityTokenRequirement>
</add>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
However, this appears to have no effect. My MVC app still reports a blank ClaimsIdentity.Name field and the ClaimsIdentity.NameClaimType continues to be:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
What should my Web.Config look like to map my existing claim into the ClaimsIdentity.Name field?
I found that using the following securityTokenHandlers section got me to where I needed to be based on a SAML 2.0 payload from my ADFS system:
I'm not at all certain how the claims were being consumed with the default web.config since no Saml token handler was configured. Maybe something in the source code does some default behavior...