ADFS 2012 response is not returning Name ID

Question

My application is sending a SAML request to ADFS, which prompts me to log in to the AD, and my application is getting a SAML response back. However, it does not contain a Name ID.

In the Claims rules I set up these two:

• Send LDAP Attributes as Claims

• • LDAP Attribute: E-Mail-Addresses
• • Outgoing Claim Type: E-Mail Address
• • Attribute Store: Active Directory

• Transform an Incoming Claim

• • Incoming Claim Type: E-Mail Address
• • Outgoing Claim Type: Name ID
• • Outgoing Name ID Format: Email
• • Pass through all claim values

I assume that when I am prompted to enter my email address, that this email address is added to the incoming claim?

Why isn't it transforming it and sending it back? I think there should be a "NameID" node in the Subject?

Response XML:

<samlp:Response ID="_e7eae5c5-abf6-4f8f-a869-95ecc373410a" Version="2.0" IssueInstant="2023-01-16T15:55:47.323Z" Destination="https://localhost:8443/rrdefenceweb/services/ui/authenticateSaml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="iddd342818-ac09-40cc-9c79-12e61dab8165"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.adfstest.com/adfs/services/trust
</Issuer>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_196d47b3-d764-4a73-a136-2cd8cbd2a905" IssueInstant="2023-01-16T15:55:47.323Z" Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>http://adfs.adfstest.com/adfs/services/trust</Issuer>
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_196d47b3-d764-4a73-a136-2cd8cbd2a905">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>Y2uhE7CuNU4iI4r8N6nRMGhzV8icSjUrxrInhXZzFoQ=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>JVE8Pk2CDVmIoXCLxr1zITlOaOublJY5nwF9kxBA+T80KYI97N36DwcGIN2pJN4KjPbQfR/LHHXVXmaEzBoA5kZ2Bii3r49qlDWi1eujfDL8lY/GLiUNuZCALRqPpS2f6TKeKucECQVgqE5WMVHeULjLBOQI41alEfHqnGVABQLoKhB8LSBeJU2f65hapKG0Q2ffmr+BunxH+Srfz5oBF+pScQwtsrP/Kr4SD4DvmLz/xCEyKNqzaDT+WNwZ9MN2Rjtx3hOiS/YBjJ9CqUYGdxAglEg7yu3uzQ4UsqM4MlZSBY5lPtTa16qYSwq2NgM6sQrMAo5BVsLz3kIfJlulOg==</ds:SignatureValue>
        <KeyInfo
            xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC3jCCAcagAwIBAgIQRiRqmG8/OKBIVDkoSvTPcDANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBhZGZzLmFkZnN0ZXN0LmNvbTAeFw0yMzAxMDkxODQ1MzdaFw0yNDAxMDkxODQ1MzdaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIGFkZnMuYWRmc3Rlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/C6v11/9nwR6JpY2Q0H+Q/DE4jXi7y7h/KXdlBS/ktnCUoesRcgmyTdzoU0+DK7hZXZ+V4qk2KYYcRlikiL9nGkLkA+wIIAdrKLZzraD+H+TCAYLyVY21oUGUg2oD8WqibwtutJejX+9ATJ9xCBu+xX2VDXUmQEyTqNYIj98/XAiob+eQbCfDQuoadLRo5UfM/9jOaRUHmVo9xdP58d7egKpSfhungYA3Kilc6Lu38QywnxYQlq2KpZ67SJr3cuERc1wOUzTcgKcVdvv+sUBQ5uj01SYAUX+snhgjr8/w9+13AVoTiyTbEmjW+lK3e26Rb4QQ2P/ZGmGpIz3hLyMAQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCtQ+9sAWwPJmNN6TUEqqUV068u98Yk22cNqrwKx3HMrZKcj2jBQ5+4zCzYtPRt4dToapYeWIsMVasb4yQ+BT7y8dPaeHRezCUwvRpDGBroQYL0BFVyxE1P4tM7OZR5bV+zGMT857Nvm+0uSHzMJGrjGFa91ZgazDAEdIgQ96x/I48CrftPzhUkLWZgW2xNv1Z4DdgO7ImjvB49dNQuwv0aiZOiL2xuPj/FcQpqklu/VL3aKFiS4TL0cPEdJVE7KHtkBqT6Uje4xuWBAXHOfKCJ6gIbE9I9WyQ6bPSRNqDhQV9povM56Yob8g7Nhva/486Xd4kwzm6gzh4M24LywZgW</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <Subject>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="iddd342818-ac09-40cc-9c79-12e61dab8165" NotOnOrAfter="2023-01-16T16:00:47.323Z" Recipient="https://localhost:8443/rrdefenceweb/services/ui/authenticateSaml" />
        </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2023-01-16T15:55:47.323Z" NotOnOrAfter="2023-01-16T16:55:47.323Z">
        <AudienceRestriction>
            <Audience>https://localhost:8443/rrdefenceweb</Audience>
        </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2023-01-16T10:53:40.791Z">
        <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
        </AuthnContext>
    </AuthnStatement>
</Assertion>
</samlp:Response>

Federation XML: https://adfs.adfstest.com/federationmetadata/2007-06/federationmetadata.xml

Answer 1

It was because in the Active Directory, my user did not have an Email Address set (even though my login name was in an email format, it is a separate field that needs setting).

Answer worked out thanks to this: Why is ADFS not returning an email claim?