(for the info of readers, I know Chubby Arse and we have discussed this offline including sharing some additional code but I'm posting what I can here to help anyone else who may hit the same problem)
ServiceSecurityContext.PrimaryIdentity will only return the ClaimsIdentity if it is the only one in scope. If there are more than 1 identities present, then it cannot identify which is the primary and so a generic identity is returned.
In your scenario, you have 2 identities in context: your claims identity from the SAML token and also one representing the client certificate that was attached by the caller, something required for net.tcp but not for basicHttp for authentication purposes. In order to access the ClaimsIdentity you need to update your ClaimsServiceAuthorisationManager as follows:
var identity = securityContext.PrimaryIdentity as IClaimsIdentity;
if (identity == null)
{
// If there is more than 1 identity, for example if there is also a certificate then PrimaryIdentity will be null.
if (securityContext.AuthorizationContext.Properties.ContainsKey("Principal"))
{
var principal = securityContext.AuthorizationContext.Properties["Principal"] as IClaimsPrincipal;
if (principal != null)
{
identity = principal.Identity as IClaimsIdentity;
}
}
if (identity == null)
{
throw new InvalidOperationException("PrimaryIdentity identity is not an IClaimsIdentity");
}
}