AzureAD · jennyf19 · Apr 14, 2025
@@ -0,0 +1 @@
+const Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Attributes.SubjectConfirmationDataType = "Type" -> string
@@ -75,7 +75,17 @@ public static class Attributes
             public const string SessionNotOnOrAfter = "SessionNotOnOrAfter";
             public const string SPNameQualifier = "SPNameQualifier";
             public const string SPProvidedID = "SPProvidedID";
+            /// <summary>
+            /// W3C XML Schema standard xsi:type attribute name (lowercase)
+            /// </summary>
             public const string Type = "type";
+
+            /// <summary>
+            /// SAML specific xsi:type attribute (uppercase).
+            /// Used only for SubjectConfirmationData to maintain compatibility with ADFS and other SAML implementations.
+            /// See: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2894
+            /// </summary>
+            public const string SubjectConfirmationDataType = "Type";
             public const string Version = "Version";
         }
 

@@ -2169,7 +2169,8 @@ protected virtual void WriteSubjectConfirmationData(XmlWriter writer, Saml2Subje
 
             // @xsi:type
             if (subjectConfirmationData.KeyInfos.Count > 0)
-                writer.WriteAttributeString(XmlSignatureConstants.Attributes.Type, XmlSignatureConstants.XmlSchemaNamespace, Saml2Constants.Types.KeyInfoConfirmationDataType);
+                // Use uppercase "Type" specifically for SAML SubjectConfirmationData for ADFS compatibility
+                writer.WriteAttributeString(Saml2Constants.Attributes.SubjectConfirmationDataType, Saml2Constants.Types.KeyInfoConfirmationDataType);
 
             // @Address - optional
             if (!string.IsNullOrEmpty(subjectConfirmationData.Address))

@@ -626,11 +626,62 @@ public Saml2Subject ReadSubjectPublic(XmlDictionaryReader reader)
                 return base.ReadSubject(reader);
             }
 
+            public void WriteSubjectConfirmationDataPublic(XmlWriter writer, Saml2SubjectConfirmationData subjectConfirmationData)
+            {
+                base.WriteSubjectConfirmationData(writer, subjectConfirmationData);
+            }
+
             public void WriteProxyRestrictionPublic(XmlWriter writer, Saml2ProxyRestriction proxyRestriction)
             {
                 base.WriteProxyRestriction(writer, proxyRestriction);
             }
         }
+
+        [Theory, MemberData(nameof(WriteSubjectConfirmationDataTheoryData), DisableDiscoveryEnumeration = true)]
+        public void WriteSubjectConfirmationData(Saml2TheoryData theoryData)
+        {
+            TestUtilities.WriteHeader($"{this}.WriteSubjectConfirmationData", theoryData);
+            var context = new CompareContext($"{this}.WriteSubjectConfirmationData, {theoryData.TestId}");
+            try
+            {
+                var ms = new MemoryStream();
+                var writer = XmlDictionaryWriter.CreateTextWriter(ms, Encoding.UTF8, false);
+                (theoryData.Saml2Serializer as Saml2SerializerPublic).WriteSubjectConfirmationDataPublic(writer, theoryData.SubjectConfirmationData);
+
+                writer.Flush();
+                var xml = Encoding.UTF8.GetString(ms.ToArray());
+                IdentityComparer.AreEqual(xml, theoryData.Xml, context);
+                theoryData.ExpectedException.ProcessNoException();
+            }
+            catch (Exception ex)
+            {
+                theoryData.ExpectedException.ProcessException(ex);
+            }
+
+            TestUtilities.AssertFailIfErrors(context);
+        }
+
+        public static TheoryData<Saml2TheoryData> WriteSubjectConfirmationDataTheoryData
+        {
+            get
+            {
+                var keyInfo = new KeyInfo();
+                keyInfo.KeyName = "test";
+                var confirmationData = new Saml2SubjectConfirmationData();
+                confirmationData.KeyInfos.Add(keyInfo);
+
+                return new TheoryData<Saml2TheoryData>
+                {
+                    new Saml2TheoryData
+                    {
+                        SubjectConfirmationData = confirmationData,
+                        Xml = "<saml:SubjectConfirmationData Type=\"KeyInfoConfirmationDataType\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><KeyName>test</KeyName></KeyInfo></saml:SubjectConfirmationData>",
+                        Saml2Serializer = new Saml2SerializerPublic(),
+                        TestId = "WriteSubjectConfirmationDataWithUppercaseType"
+                    }
+                };
+            }
+        }
     }
 }
 

@@ -57,5 +57,7 @@ public Saml2TheoryData(TokenTheoryData tokenTheoryData)
         public Saml2Subject Subject { get; set; }
 
         public Saml2ProxyRestriction ProxyRestriction { get; set; }
+
+        public Saml2SubjectConfirmationData SubjectConfirmationData { get; set; }
     }
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		const Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Attributes.SubjectConfirmationDataType = "Type" -> string