Double Claim groups?

Hey all,
anyone else get double AD group in the group list here?

I know it’s not comming from the ADFS server, as if I remove the group sending, the list get empty.
the group are 100% identical, so it’s not like something is different between them.

maybe bug with UD ?

This is coming from the authentication provider. UD isn’t populating any claims directly. So I’m not sure why we’d be getting multiples from WS-Fed\ADFS authentication. You might be able to try to enable some logging to figure out where they’re coming from but the auth providers can be kinda black box in that regard.

How to debug this? it dont seems to be logged by UD ?
I set

enable-udlogging -Level debug

Ok. That’s what I was suggesting. I’m not sure how else to get the auth provider to log more information. You might need to check on the server end of things to see if it provides any additional info about claims. I’ll see if there is any way to crank up the logging for the auth providers in UD.

Thanks man, it seems I could disable claim encryption, but I cant do that, if the UD could log the returned raw claim decrypted, that would be awesome.

maybe even baked into it’s own cmdlet and log file ?
Could be cool to have a log of authentication activities.
I will create a feature request in github.

That’s a good idea. I know a lot of people do this themselves when attempting to create auth polciies since it’s hard to see what’s going on with the claims.

Feature Request created:

@adam so I just confirmed by using fiddler that it’s not comming from the ADFS server.
The “RequestSecurityTokenResponse” only contain one set of groups.
but UD still list double.

Edit: ok the $Claimsprincipal just contain 2 of everything

I also show double set of claims under $ClaimsPrincipal when using ADFS authentication.

Weird. Ok. I will see how we can identify where this is coming from. It could also be a bug in the authentication provider and we just need to update the package.