I have a pretty complicated delegation scenario which is basically working except for a difficult to understand duplicate claim problem.
I have an ActAs token which has a NameID claim in it which duplicates the NameID claim I'm adding through the RP issuance rules.
For illustration, the NameID claim rule that was used for the original issuence of what will be used as the ActAs token is:
c1:[Type == "http://schemas.xmlsoap.org/claims/distinguishedName"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c1.Issuer, OriginalIssuer = c1.OriginalIssuer, Value = c1.Value,
ValueType = c1.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
My delegation process now uses this token and tries to get another for a different (or the same) RP. Not suprisingly (since we have standard claim rules across our apps) it has the same NameID claim rule. Since the distinguishedName claim is present it attempts to add the NameID claim again and the engine barfs and the following is in the error log:
Issued identity:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
NP\DelegationTestUser
http://schemas.xmlsoap.org/claims/distinguishedName
CN=DelegationTestUser,OU=TestScen,OU=TestProj,OU=ADT,OU=Projects,DC=...,DC=com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
CN=DelegationTestUser,OU=TestScen,OU=TestProj,OU=ADT,OU=Projects,DC=...,DC=com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
CN=DelegationTestUser,OU=TestScen,OU=TestProj,OU=ADT,OU=Projects,DC=...,DC=com
So the NameID claim is being added twice.
I'm a little confused because I'm not explicitly passing through the NameID claim that was in the first token, but whatever, it's there.
So, the problem seems to be one where I need to prevent the duplicate claim from being added to the pipeline.
My first thought was to try and use the Exists function, but Exists doesn't work with an input claim-derived output claim which I need.
My second thought was to try something like the following, even though I can't find any documentation that says '!=' is valid syntax for type comparison.
c:[Type == "http://schemas.xmlsoap.org/claims/distinguishedName"]
&& c1:[Type != "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
The UI allows me to create such a rule and I don't see an error in the logs. But it also doesn't seem to do anything.
Any ideas for how to solve my issue?
David Mowers