Friday, April 13, 2012 7:36 PM
I am currently setting up a trust to a third party federation server. I've successfully pulled in the third party xml data however when I try to auth to the third party fed the saml request has the AllowCreate="true"
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
However the third party requires that the AllowCreate be set to false. How can this be accomplished? I have found how to turn it completely off in PowerShell just not a way to set it to false.
Saturday, April 14, 2012 8:21 AMThe standard (both core and errata) specify that omitting is the same as (the default) false. Maybe talk with the third party and let them implement the standard???
Saturday, April 14, 2012 12:01 PMI posed that question to the third party yesterday and the answer was it has to be present and set to false.
Saturday, April 14, 2012 8:25 PM
:-) Ooops, that is bold....... :-) Hope you are still on speaking terms with them....
I took a look at "internal virtual void WriteNameIDPolicy(XmlWriter writer, NameIdentifierPolicy data)", which writes the AuthnRequest. It tests a boolean and then writes it if (and only if) required....... But below is what Reflector says.
For the code to ever write "false" it should have been an "if then else". So I guess ADFS cannot do it.
But the only place for an official confirmation is Microsoft Support. Getting them to fix this if the other is not folowing the standard will be a tough one.......
Friday, April 27, 2012 9:33 PM
Hello, I had the same grief with a 3rd party provider as well. I did manage to use the powershell scrips to set this to false and managed to have it show up correctly in my SAML request. I used the following PowerShell command:
set-ADFSClaimsProviderTrust -targetname "<ENTER THE 3rd PARTY IDP HERE>" -AllowCreate $False
The result was an AllowCreate="false" in my SAML Request to them. Hope this helps.
Monday, April 30, 2012 3:07 PM
I hate it when I leave incorrect or half information, so I'd like to put that right. I tried your tip. But in my case (ADFS RTM with Windows Update, no hotfixes, no wrapup, nothing) the AllowCreate="false" attribute is *not* sent. Of course the AllowCreate="true" disappears.
Can you show me your SAMLRequest? What is the file version and signature date of your Microsoft.IdentityServer.dll?
Friday, June 01, 2012 10:59 PM
I was using ADFS 2.0 with the first update that was released for it. I don't have access to the signature date of the dll or the SAML request right now so cannot post. I may be able to dig up from an archive.