Fixing AntiForgeryToken in MVC 4 when supporting Claims authentication

If you have developed an application using the HTML helper method @Html.AntiForgeryToken and you then apply claims based authentication to the application, you will probably encounter the error:

An unhandled exception has occurred:
A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity.
To enable anti-forgery token support with claims-based authentication, please verify that the configured claims provider is providing both of these claims on the ClaimsIdentity instances it generates. If the configured claims provider instead uses a different claim type as a unique identifier, it can be configured by setting the static property AntiForgeryConfig.UniqueClaimTypeIdentifier.

I encountered this error when trying to implement ADFS support for a site we are developing for Microsoft.

The error message is more or less self-explanatory. It tells you that if you are not using any of the claim types specified directly in the error message, you basically need to tell the AntiForgery which claim that you are using as the unique user identifier. In my case I needed to use the e-mail address of the user as the unique identifier, which from the MS CORP STS is of the following type:

http://sts.msft.net/user/EmailAddress

To support this claim type I added the following code in the Application_Start method of my Global.asax.cs file:

AntiForgeryConfig.UniqueClaimTypeIdentifier = "http://sts.msft.net/user/EmailAddress";

That was it - after this entry everything worked like a charm.

 
Comments

No comments yet.

Leave a comment