having linked an ACS namespace to AzureAD and "generated claims" (from the Azure AD metadata) its annoying that there is no nameid claim.
Yes Ive heard the dogma why it is a hundred times. Its just unfriendly. When I use ACS the whole point is so my code doesn't need to know about vagaries of IDPs.
Now I have to go and manually map the name claim for the Azure AD IDP to nameid (so my own code doesn't have to know about vagaries of IDP land).
Less dogma and theory, more customer listening - is my advice. Make it easy, and induce less errors.
----------
Feedback: there is not an immutableID or OID to be seen by the way, having created my own service principal for websso (to ACS). The name typed in the name discovery box - which vectors the authentication off to my ADFS (equivalent) - gets all the way through to ACS .. and thence to my own SP. I was kind of expecting some PPID.
My Own SP then does account linking, so other IDP's names - assumed to be opaque PPID - then can be mapped onto a common (realty) name form for professionals, registered in various (US) states. The whole point of creating the "account linking" experience was mostly so realty is not affected by the 5 different PPIDs that Google/ Yahoo, Live, Azure AD... might issue; and then ensure the control of the realty identity is what governs those who use realty identities. That folks borrow Azure/ADFS/Google or what have you - as a convenience to users bored of having multiple passwords - is JUST FINE.
It's now live (US) nationally, supproting 5% of GDP ... being equivalent to a Live/Google/Facebook consumer logon.
Well done directory folk!