Greetings,
There is an abnormal behavior of AD FS 2.0 that I need to report. Apparently in some circumstances, AD FS 2.0 only considers the SAML attributename and disregards itsnamespace. I have verified this behaviour on several environments; all use AD FS 2.0 RTM over Windows Server 2008 R2 Service Pack 1. Here it goes:
a) On any Relying Party Trust, add the following two custom rules:
c:[] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ONE/TEST", Value = "one");
c:[] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/TWO/TEST", Value = "two");
b) The expectation is to generate two distinct SAML attributes with same name “TEST” and different namespaces http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ONE andhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/TWO. Instead there is only one attribute generated of name “TEST” and of namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ONE.
In other words, we obtain:
<saml:AttributeAttributeName="TEST"AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ONE">
<saml:AttributeValue>one</saml:AttributeValue>
<saml:AttributeValue>two</saml:AttributeValue>
</saml:Attribute>
Instead of:
<saml:AttributeAttributeName="TEST"AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ONE">
<saml:AttributeValue>one</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeAttributeName="TEST"AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/TWO">
<saml:AttributeValue>two</saml:AttributeValue>
</saml:Attribute>
Could you please verify and advise?Please provide the Windows version in case you don't see this behaviour.
Many thanks,
Jean-Paul