Wednesday, October 10, 2012

ADFS : NameID / qualifier in claims

 

Firstly, there’s an excellent write-up here:

ADFS – SAML 2.0 Identity Provider and SaaS Service Providers

I was busy configuring a SAML provider in ADFS v2.0 when I got this error:

“The SAML Single Logout request does not correspond to the logged-in session participant.
Requestor: sp_test
Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: http://xxx/adfs/services/trust SPNameQualifier: sp_test, SPProvidedId: 
Logged-in session participants:
Count: 1, [Issuer: sp_test, NameID: (Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier:  SPNameQualifier: sp_test, SPProvidedId: )] 

This request failed.

User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS 2.0 Management snap-in.”

I had a custom claims rule:

c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",  Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sp_test");

So I had the sp_test part but not the http://xxx/adfs/services/trust part. The key was in the “User Action” message above. As my two messages only differed by NameQualifier, I needed to expand my rule to:

c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = http://xxx/adfs/services/trust, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sp_test");

Enjoy!

4 comments:

Kamalpreet Singh said...

What is "sp_test" here?

Kamalpreet Singh said...

What is "sp_test"? How can I get this value?

Kamalpreet Singh said...

This is the error I'm getting. Can you please help with this?

The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: BambooHR-SAML
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .

This request failed.

User Action
Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.

nzpcmad said...

sp_test is the name displayed in the error message.

Your error message does not look like this.

The NameID format needs to be email. What NameID format are you sending? You can see this e.g. in FF "SAML tracer".