ADFS 2.0 InvalidNameIDPolicy

Question

I\'ve configured an app on the adfs relying party trusts, so I can login using adfs/sso. After that i\'va installed simplesamlphp to deal with that login, and process the re

Answer 1

simplesamlphp normally uses UPN or email as the NameID. You need to check in the config.

So in ADFS, create two claims rules:

One to create the claim (either UPN or email) - the normal LDAP one.

And a Transform that takes the above and transforms to a NameId claim with a type of "transient".

Again, simplesamlphp may not be using transient - you need to check in the config.

Update:

Assume UPN:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");