InvalidNameIDPolicy working with ADFS

Question

I have many clients that uses SSO, for that we use SAML 2. Many of my clients uses providers like Okta, PingIdentity and a bunch of them ADFS. Doing the integration with ADFS always at the beginning raises this error when they came back with the SAMLResponse.

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode></samlp:Status>

Im asking to use as name Identifier this:

"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

Im pretty new to SAML and I just want to know what is happening on ADFS, since this is just happening with clients that uses that.

Thanks a lot.

Answer 1

The other way to do this is to identity what attribute needs to be mapped to NameID e.g. email address.

Have a normal LDAP rule for email.

Then have a Transform rule that transforms email to NameID and select the NameID format you need from the drop-down.

Answer 2

By default, ADFS sends the NameId format as "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". You can adjust it. See: https://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims-provider-cp-during-saml-2-0-single-sign-on-sso.aspx