locked
How do you turn of encryption of the ADFS 2016 userinfo endpoint sub claim? RRS feed

  • Question

  • Hi,

    The Sub claim that the ADFS 2016 userinfo endpoint returns appears to be encrypted (within the token).

    Is there a a way of forcing it to be un-encrypted?

    Regards

    Eadmund

    Wednesday, November 29, 2017 11:49 AM

All replies

  • No.

    I don't think it's encrypted. It think it's more like a GUID.

    If you need to identify the user, use the UPN or add some custom claims rules.

    Wednesday, November 29, 2017 5:51 PM
  • Hi!

    Is that for the Office 365 Relying Party? Usually we send the UPN and the immutableID, which is the base64-encoded objectGUID (depending on the setup).

    We don't encrypt the assertions/claims, but sign them only.

    What's the problem you're seeing/facing?

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Wednesday, November 29, 2017 7:33 PM
  • Thanks for replying. I did consider that, but was not sure where is was being generated or coming from - any ideas? 

    I'm working with a COTS app and that's how it gets the user ID. It doesn't look for claims in the access token, only from the user info endpoint - which of course currently only returns the sub claim. 

    Looks like this >> "sub": "Rl7sOj0nDbgh8BVWZegrkvgAKaB/SwNuEbmORcWcae4=", which does appear to be base 64 encoded - I could be wrong...

    Regards

    Eadmund


    • Edited by Eadmund Thursday, November 30, 2017 10:14 AM
    Thursday, November 30, 2017 9:51 AM
  • Thanks for replying. The COTS app uses the userinfo endpoint to get the user id (ie auser@domain.com). It ONLY looks there and does not consume the user ID from the token, even if if the token has had the users id as a claim added (i've confirmed this with the vendor).

    what I'm looking to achieve is to get the sub claim from the userinfo endpoint to look like the actual user id (ie auser@domain.com), rather than a GUID/String/blob

    Regards

    Eadmund

    Thursday, November 30, 2017 10:01 AM
  • This is an example (from the web) - it does not appear to be base 64 encoded - I could be wrong!

    "sub": "Rl7sOj0nDbgh8BVWZegrkvgAKaB/SwNuEbmORcWcae4=",

    Thursday, November 30, 2017 10:13 AM
  • There is no way to change this.

    You could write a userinfo stub that gets claims out the back end and then formats them as per the normal userinfo format.

    Thursday, November 30, 2017 5:58 PM
  • Hi!

    I don't have the source code to look at it -- but it appears to be a SHA265-hash of the object's GUID from Windows AD (that's Base64-encoded).

    objectGUID -> SHA256 hash -> Base64String.

    I'll try and poke around with it in the morning again. Do you have the objectGUID that goes along with the aforementioned "sub" claim's originating object from Windows AD/identity store?

    Thanks,

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Tuesday, December 12, 2017 9:33 PM