ClaimsPrincipal Data

I’m curious if this is a bug or I’m just not doing something right. I’m using ADFS 4.0 with UD on IIS (that was fun getting to work, but yay!) Anyway, I have it set up to bring back the sAMAccountName and a filtered set of user groups that I use for Authorization. The odd thing is that $ClaimsPrincipal has the data in it twice. I want to loop through the data and grab the groups to use for miscellaneous stuff, but the array will always have two which I don’t want.

PS UD:> $ClaimsPrincipal.Claims.Type
Executing…
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
PS UD:>

I have SAML tracer installed, and I can see that the groups are only returned once.

<t:RequestSecurityTokenResponse xmlns:t=“http://schemas.xmlsoap.org/ws/2005/02/trust”>
<t:Lifetime>
<wsu:Created xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>2020-02-11T11:59:38.653Z</wsu:Created>
<wsu:Expires xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>2020-02-11T12:59:38.653Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp=“http://schemas.xmlsoap.org/ws/2004/09/policy”>
<wsa:EndpointReference xmlns:wsa=“http://www.w3.org/2005/08/addressing”>
wsa:Addresshttps://mydashboard.my.domain</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion xmlns:saml=“urn:oasis:names:tc:SAML:1.0:assertion”
MajorVersion=“1”
MinorVersion=“1”
AssertionID="_fee981ac-c668-458f-8eff-9a976add4284"
Issuer=“http://sts.my.domain/adfs/services/trust
IssueInstant=“2020-02-11T11:59:38.793Z”
>
<saml:Conditions NotBefore=“2020-02-11T11:59:38.653Z”
NotOnOrAfter=“2020-02-11T12:59:38.653Z”
>
saml:AudienceRestrictionCondition
saml:Audiencehttps://mydashboard.my.domain</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
saml:AttributeStatement
saml:Subject
saml:NameIdentifiertheuser</saml:NameIdentifier>
saml:SubjectConfirmation
saml:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName=“name”
AttributeNamespace=“http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
saml:AttributeValuetheuser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName=“role”
AttributeNamespace=“http://schemas.microsoft.com/ws/2008/06/identity/claims
>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-Infoblox-ManageFixedIP</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-Infoblox-CreateScope</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-O365-Licenses</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-O365-ResetMFA</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-Admins</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-Mule-Integrations</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-O365-CreateSharedMB</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-O365-ManageSharedMB</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-Tasks-Longview</saml:AttributeValue>
saml:AttributeValueSEC-MYDOMAIN-UDashboard-DEV-Tasks-PIP</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod=“urn:federation:authentication:windows”
AuthenticationInstant=“2020-02-11T11:59:38.621Z”
>
saml:Subject
saml:NameIdentifiertheuser</saml:NameIdentifier>
saml:SubjectConfirmation
saml:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” />
<ds:SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” />
<ds:Reference URI="#_fee981ac-c668-458f-8eff-9a976add4284">
ds:Transforms
<ds:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature” />
<ds:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” />
</ds:Transforms>
<ds:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256” />
ds:DigestValuey3l43bxp1iGIbn8CwfqD3ms9XXGQ0TWh6f/HoQhupUg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>

Thanks!

Victor

Can you open an issue for this? It’s a bug.

Thanks. Issue opened.