I have connected an AD FS as SAML 2.0 up-party on FoxIDs and my application is connected with OpenID Connect as down-party.
I'm not receiving a SUB claim in my application, what can be the problem?
Asked
Active
Viewed 465 times
1 Answers
1
FoxIDs convert between SAML 2.0 and JWT claims. Where the sub claim is converted from the SAML 2.0 NameID attribute/claim. The NameID claim has the claim type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
Either you need to update the AD FS configuration to also issue the NameID claim. Which results in a sub claim with the NameID claim value.
Alternatively, if the AD FS e.g. are issuing a UPN (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn) claim you can define a claims transformation in FoxIDs mapping the UPN (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn) claim to a NameID (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) claim. This results in a sub claim with the UPN claim value.
To debug you can temporary add a NameID (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) claim with a constant value, which results in a sub claim.
Anders Revsgaard
- 3,636
- 1
- 9
- 25