2 回答
Personally I've never used the NameIdentifier claim. The user name should be passed using the Name type (the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name).
I confirm your observation - you can't have the NameIdentifier (whatever it is) as a sole claim but you CAN of course have the Name as the sole claim.
Is it possible that nameidentifier is a keyword in SAML or WIF
Yes. In SAML token formats, you have a separate subject concept (something that uniquely identifies the entity) and attribute concept (information about the entity).
The WIF model represents all of this stuff as claims. Most claims are mapped to SAML Attributes when you write them to a SAML token, however nameidentifier is special and it gets written as a Subject.
But it looks like you're producing a SAML token with an AttributeStatement that's completely empty. Can you confirm? Are you using any kind of custom token handler?
I'm not certain, but I presume that by default when WIF encounters a ClaimsIdentity with just a nameidentifier claim, it should be writing this claim as a SAML Subject under both the AuthenticationStatement as well as the AttributeStatement, so the error you're getting shouldn't occur.