Overview

The SAML NameID claim type is a special claim type used to identify the principal of the session, and this claim type can be asserted containing only the value data, or you can also choose to assert additional NameID properties. Below, you will find a Claim Rule Language sample, which can be used with AD FS 2.x and demonstrates the syntax needed in order to assert the NameID claim type while including other, optional NameID properties.

Claim Rule Language Sample

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
 => issue(Type = "
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = http://sso.contoso.com/adfs/services/trust, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://fs.adatum.com/adfs/services/trust");


Explanation

  • The 'c:' condition reveals that we assume there is a NameID claim type already in our claims processing pipeline
  • The '=> issue' statement shows that we wish to issue at least one claim type (see Understanding Claim Rule Language for Issue vs. Add statements)
  • Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType indicates that we wish to carry over the Issuer and Value data from the 'c:' condition
  • Each NameID property is specified with the following syntax: Properties["property-type-URI"] = "value-URI"
  • In the sample, we are asserting: NameID Format, SPNameQualifier, and NameQualifier
  • NameID Format must be asserted with an acceptable NameID format URI (see SAML 2.0 Core specification for details)
  • NameID SPNameQualifier and NameQualifier value data can equal any absolute URI