Cannot use nameidentifier claim

Feb 18, 2013 at 9:56 AM
Hi,

I'm trying to understand:
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" becomes "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" because SharePoint throws an error message when it is used in a SAML token.

I have tested several mapping:
  • From windowsaccountname to nameidentifier, but I get an error from creating the mapping:
> $mapLogon = New-SPClaimTypeMapping -IncomingClaimType "http://sch
emas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"   -IncomingCla
imTypeDisplayName "Login" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05
/identity/claims/nameidentifier"
New-SPClaimTypeMapping : The mapping is not allowed as the claim type
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier is a
reserved claim type.
At line:1 char:13
+ $mapLogon = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.microsoft. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
    + CategoryInfo          : InvalidArgument: (http://schemas..../nameidentif
   ier:String) [New-SPClaimTypeMapping], PSArgumentException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPCla
   imMapping
  • nameidentifier only. I'm getting an error:
$mapLogon = New-SPClaimTypeMapping -IncomingClaimType "http://sch
emas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"   -IncomingClaimType
DisplayName "Login" -SameAsIncoming
New-SPClaimTypeMapping : The mapping is not allowed as the claim type
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier is a
reserved claim type.
At line:1 char:13
+ $mapLogon = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.xmlsoap.or ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
    + CategoryInfo          : InvalidArgument: (http://schemas..../nameidentif
   ier:String) [New-SPClaimTypeMapping], PSArgumentException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPCla
   imMapping
  • from nameidentifier to local windowsaccountname
    The creation of the mapping is OK as well as the creation of the trust.
    But, I send two types of claim from ADFS (windowsaccountname and NameID), but SharePoint does not seem to recognize either of them.
So far, I have fall back to the old good way and use the windowsaccountname as the claim identifier and modified the attribute list to use it:
new AttributeHelper{LDAPAttributeName="cn", LDAPObjectClass="user", claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", claimEntityType = SPClaimEntityTypes.User},
What am I missing?

Thanks for your help
Coordinator
Feb 19, 2013 at 2:03 PM
hello,
indeed that's something I need to pay attention quickly, I come back to you asap with a status on this.
cheers,
Yvan
Coordinator
Feb 19, 2013 at 3:51 PM
Edited Feb 19, 2013 at 3:51 PM
hello,
For some reason I got completely confused and sAMAccountName LDAP attribute should definitely be linked to claim type http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname.

To be honest I don't know how I could get confused this way.
Anyway I fixed this issue, and I also improved the code by using System.Security.Claims as primary namespace for WIF.
Please let me know if the new version (1.3) works fine for you.
cheers,
Yvan
Feb 19, 2013 at 8:08 PM
No biggie
I just banged my head for several hours in order to understand why it would not work :p

I'll test quickly and give you a feedback.
Coordinator
Feb 20, 2013 at 11:17 AM
I'll wait for it, thanks!
Mar 6, 2013 at 12:33 PM
OK it is working like a charm.

One remark though. Apparently, when I look up for a user, it's showing me computer as well. This "accounts" are easily recognizable, because they ends with a '$'.

My guess is that you should filter on normal accounts.
According to http://support.microsoft.com/kb/305144, I think a filter like (userAccountControl:1.2.840.113556.1.4.803:=512) would work, hoping it is not filtering groups.
Another solution is to add a filter like (|(objectClass=User)(objectClass=Group))

Cheers!