Monday, December 14, 2015

AAD : The default WS-Federation claims

I have an ASP.NET RP using OWIN WS-Fed to talk to an ADFS instance and this ADFS instance has Azure AD as a CP.

For reference, this is the default claims set from AAD:

Claims from ClaimsIdentity

Claim Type Claim Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier QY7TN_h.....vFbw9IKD-nY
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress joe.bloggs@company.com
http://schemas.microsoft.com/identity/claims/tenantid 4ef13bb.....a8291aeded
http://schemas.microsoft.com/identity/claims/objectidentifier 8f803ba.........63-eacba54
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name joe.bloggs@company.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname joe
http://schemas.microsoft.com/identity/claims/displayname joe bloggs
http://schemas.microsoft.com/identity/claims/identityprovider https://sts.windows.net/4e.....df-ad5a8d/
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path /adfs/ls/
http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork true
http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id 0000.....0-0080e7
http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid https://my-pc/WebApp-ADFS-DotNet/
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip 111.11.111.111
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2015-12-13T19:12:58.920Z

Sadly, there is no way currently to alter this default set other than to use Microsoft Graph to get the claims yourself.

Note that because AAD is built on a Graph platform, a lot of the values are actually GUID's.

Enjoy!

No comments: