Скачать или смотреть Resolving the SAML Claim Issue in ADFS When Using Ws-Federation with IdentityServer4

Discover how to resolve the claim passing issue from `Ws-Federation` to `SAML` in `ADFS` and IdentityServer4 through a simple configuration change.
---
This video is based on the question https://stackoverflow.com/q/62680613/ asked by the user 'nzim' ( https://stackoverflow.com/u/13142403/ ) and on the answer https://stackoverflow.com/a/63631992/ provided by the user 'nzim' ( https://stackoverflow.com/u/13142403/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: ADFS don't pass claims from Ws-Fed response from Claim Provider to outgoing SAML response for RP

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Understanding the Problem: Claims Not Passing from ADFS to SAML Response

In the realm of authentication and authorization, integrating different protocols can sometimes lead to overwhelming technical challenges. One such issue arises when working with Active Directory Federation Services (ADFS) and IdentityServer4, particularly when passing claims from a Ws-Federation response to a SAML response for a Relying Party (RP).

Imagine this scenario: you have set up a robust system where the RP initiates a SAML sign-in request, and ADFS subsequently makes a Ws-Fed sign-in request to IdentityServer4. Although the claims arrive correctly from IdentityServer4, ADFS ends up issuing a SAML response without these valuable claims, leading to confusion and a disrupted user experience.

The Technical Details of the Issue

You might encounter an error like the following in your event logs:

[[See Video to Reveal this Text or Code Snippet]]

This indicates a mismatch in the expected token type, causing ADFS to fail in accurately processing the claims included in the token.

The Solution: Switching Token Versions

After thorough investigation and debugging, the solution to this perplexing problem was identified: the version of the token being generated. By default, IdentityServer4 generates a SAML 2.0 token, but ADFS operates solely with SAML 1.1. This version mismatch is the root cause of the claims not being passed from the Ws-Federation response to the SAML response.

Step-by-Step Solution

To address this, you need to adjust the token version used by IdentityServer4 from SAML 2.0 to SAML 1.1. Here’s how to do it:

Navigate to the IdentityServer4's Ws-Federation Options:
In your IdentityServer4 project, locate the WsFederationOptions configuration class.

Modify the Default Token Type:
Change the default token type to utilize SAML 1.1 instead of SAML 2.0. The following code snippet illustrates this change:

[[See Video to Reveal this Text or Code Snippet]]

Test the Configuration:
After implementing this change, retest the authentication flow to confirm that the claims are now being passed as expected from IdentityServer4 to the SAML response generated by ADFS.

Conclusion

By simply updating the token type, you can facilitate seamless claims passing between ADFS and IdentityServer4, thereby enhancing the integrity of your authentication systems. Although this technical adjustment appears straightforward, it significantly impacts the overall efficiency and user experience of your applications.

If you have faced similar issues or have further questions about ADFS and IdentityServer4 configurations, feel free to share your experiences in the comments below!