ADFS expecting wrong anchor claim type in on-behalf-of request

Gilles Hemberg 96 Reputation points
2021-02-25T10:00:05.177+00:00

Consider the following setup:

On-premise ADFS 2019.

Two Claims Provider Trusts:

  • "Active Directory" with anchor claim type "windowsaccountname"
  • "Identity Provider X" with anchor claim type "providerxaccountname"

Application Group with:

  • Server Application with client id "ABC"
  • Web API with resource server id "ABC", with a single ClaimsProviderName set to "Identity Provider X"
  • Web API with resource server id "XYZ"

Authentication from Server Application "ABC" to Web API "ABC" works as expected with scopes "openid profile user_impersonation".

Trying to obtain access token (scope openid) with on-behalf-of flow for Web API "XYZ" results in following error message on ADFS:

MSIS9364: Cannot complete the OAuth request. An id token is required by the request but one cannot be constructed because nop Anchor claim is present. Verify the AnchorClaimType property on the associated Claims Provider Trust is set correctly.

I verified and anchor claim "providerxaccountname" is present in the access token of Web API "ABC".
Some further testing showed that ADFS expects the anchor claim "windowsaccountname". Why?

P.S.: Setting a single ClaimsProviderName to "Identity Provider X" on Web API "XYZ" made no difference (nor did I expect it to).

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,203 questions
0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest