question

Cho7-4328 avatar image
0 Votes"
Cho7-4328 asked Cho7-4328 commented

E-mail claim not available from my external authentication method in AD FS 2016

I'm trying to plug a custom mfa provider to AD FS 2016, and while everything could work, I still have an issue when trying to specify which identity claim should be passed to my code.

If in my dll I specify an Identity Claim with upn, it works:

 public string[] IdentityClaims => new[] { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" };


But if I specify an emailaddress instead :

 public string[] IdentityClaims => new[] { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" };

My MFA method fails to launch, with the error below in the ADFS logs :

 System.IO.InvalidDataException: The identity information provided does not contain a Windows account name.
    at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
    at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
    at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
    at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


From what I can see on other forums, the main reason to this could be that I don't provide the E-mail claim in the Claim Issuance Policy of my Relying Party Trust. But I do provide this claim, and I know it works because my SP (which is also expecting this email address) sees it, and so does the Claim X-Ray app.

Since my MFA backend is expecting the email address to identify which user is currently trying to do MFA, and not the UPN, can someone help me to figure out what's going on ?

Thank you !

adfs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Any ideas ?

0 Votes 0 ·

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered Cho7-4328 commented

AFAIK, the issuance rules are processed after the AuthZ rules. You might have to add the email claim at the Acceptance level (on the claim provider).

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.