ComponentSpace

Forums



NameIDPolicy and ADFS


NameIDPolicy and ADFS

Author
Message
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
I'm not very familiar with ADFS, but it seems whenever I attempt to integrate with an ADFS IdP, they always run into some sort of NameIDPolicy issue. My AuthnRequest contains a a NameIDPolicy and I always get back an InvalidNameIDPolicy error. I tried setting the format value to all things defined in their metadata, but no luck. I guess they need to do something on their end to enable, or allow it. Is there something on my end I can adjust or is there some magic ADFS words I can tell them so they know what they need to do on their end?

Thanks!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
By default the authn request specifies "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" as the NameIDPolicy. This works with ADFS.
You can specify a different NameIDPolicy in the authn request through the SAML configuration <PartnerIdentityProvider> NameIDFormat.
Have you tried the default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"?
I also suggest taking a look at the ADFS event log for more details.


Regards
ComponentSpace Development
ktice1
ktice1
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Forum Members
Posts: 1, Visits: 5
Did you ever figure a solution to this? I am experiencing the exact same issue with an ADFS that is setup for auto-update with metadata.
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
Sorry to both of you as I did not have notifications enabled. Yes, I did figure it out. I had tried specifying different name ID format values to no avail. I guess ADFS needs a claim rule transform as it doesn't understand NameIDPolicy. So, if your ADFS counterpart knows what that is, great, they can do something about it. Otherwise, you can set NameIDFormat to null which will cause the following to be sent: <samlp:NameIDPolicy AllowCreate="true" /> which works for them out of the box.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We use the default value of "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" as the NameIDPolicy and haven't been able to get this to fail with ADFS.
The ADFS configuration we use is documented in our Developer Guide.
It would be interesting to compare ADFS configurations. There must be some setting on the ADFS side that is causing the issue for some users but not for others.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search