How to set the NameClaimType in an ASP.Net MVC 5 site?

问题

I've created an ASP.Net MVC 5 site using Microsoft's "On-Premises" Organization Account Authentication mechanism. This is ultimately configured to point to my companies ADFS infrastructure. I'm getting back all the configured claims. However, at runtime, the ClaimsIdentity.Name is blank. This is because the ClaimsIdentity.NameClaimType, by default, appears to be:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

However, I want the ClaimsIdentity.Name to me mapped to:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 

According to Microsoft Docs, the place to set this in web.config is within the Add element of the securityTokenHandlers element:

<system.identityModel>
  <identityConfiguration>
    <securityTokenHandlers>
      <add>
        <samlSecurityTokenRequirement>
          <nameClaimType value=xs:string>
          </nameClaimType>
        </samlSecurityTokenRequirement>
      </add>
    </securityTokenHandlers>
  </identityConfiguration>
</system.identityModel>

In my ASP.Net MVC 5 web.config, the only thing that looks applicable, and passes intellisense checks ends up looking like this:

<system.identityModel>
  <identityConfiguration>
    <securityTokenHandlers>
      <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
        <samlSecurityTokenRequirement>
          <nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"/>
        </samlSecurityTokenRequirement>
       </add>
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
  </identityConfiguration>
</system.identityModel>

However, this appears to have no effect. My MVC app still reports a blank ClaimsIdentity.Name field and the ClaimsIdentity.NameClaimType continues to be:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

What should my Web.Config look like to map my existing claim into the ClaimsIdentity.Name field?

回答1:

I found that using the following securityTokenHandlers section got me to where I needed to be based on a SAML 2.0 payload from my ADFS system:

<securityTokenHandlers>
  <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  <remove type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  <add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
    <samlSecurityTokenRequirement>
      <nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
    </samlSecurityTokenRequirement>
  </add>
</securityTokenHandlers>

I'm not at all certain how the claims were being consumed with the default web.config since no Saml token handler was configured. Maybe something in the source code does some default behavior...

来源：https://stackoverflow.com/questions/20106605/how-to-set-the-nameclaimtype-in-an-asp-net-mvc-5-site