AFAIK, the issuance rules are processed after the AuthZ rules. You might have to add the email claim at the Acceptance level (on the claim provider).
E-mail claim not available from my external authentication method in AD FS 2016
I'm trying to plug a custom mfa provider to AD FS 2016, and while everything could work, I still have an issue when trying to specify which identity claim should be passed to my code.
If in my dll I specify an Identity Claim with upn, it works:
public string[] IdentityClaims => new[] { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" };
But if I specify an emailaddress instead :
public string[] IdentityClaims => new[] { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" };
My MFA method fails to launch, with the error below in the ADFS logs :
System.IO.InvalidDataException: The identity information provided does not contain a Windows account name.
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
From what I can see on other forums, the main reason to this could be that I don't provide the E-mail claim in the Claim Issuance Policy of my Relying Party Trust. But I do provide this claim, and I know it works because my SP (which is also expecting this email address) sees it, and so does the Claim X-Ray app.
Since my MFA backend is expecting the email address to identify which user is currently trying to do MFA, and not the UPN, can someone help me to figure out what's going on ?
Thank you !
-
Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
2020-06-26T12:10:36.937+00:00