问题
I am trying to connect third party system with ADFS 2.0 using SSO. I created Relying party trust, and two claim rules
Rule #1
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Rule #2
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
I am able to hit ADFS server but getting this error
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: https://xxx.xxx.com/sso. Actual NameID properties: null.
Any thoughts?
回答1:
This piece is the clue:
SPNameQualifier: https://xxx.xxx.com/sso. Actual NameID properties: null.
So the SP has a NameID (entity ID) of "https://xxx.xxx.com/sso" but there is no such name configured on the ADFS side.
You need to add this to the claim with the Properties [] construct.
Refer : ADFS – SAML 2.0 Identity Provider and SaaS Service Providers.
来源:https://stackoverflow.com/questions/16403359/getting-nameidpolicyerror-implementing-sso-with-adfs-2-0