Get started for free
Visual Studio Developer Center >
How to set AllowCreate to false

Pertanyaan How to set AllowCreate to false

  • Friday, April 13, 2012 7:36 PM
     
     
    Sign In to Vote
    0

    I am currently setting up a trust to a third party federation server.  I've successfully pulled in the third party xml data however when I try to auth to the third party fed the saml request has the AllowCreate="true"

    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />

    However the third party requires that the AllowCreate be set to false.  How can this be accomplished?  I have found how to turn it completely off in PowerShell just not a way to set it to false.

     

All Replies

  • Saturday, April 14, 2012 8:21 AM
     
     
    Sign In to Vote
    0
    The standard (both core and errata) specify that omitting is the same as (the default) false. Maybe talk with the third party and let them implement the standard???

    Paul Lemmers

     
  • Saturday, April 14, 2012 12:01 PM
     
     
    Sign In to Vote
    0
    I posed that question to the third party yesterday and the answer was it has to be present and set to false.
     
  • Saturday, April 14, 2012 8:25 PM
     
     
    Sign In to Vote
    0

    :-) Ooops, that is bold....... :-) Hope you are still on speaking terms with them....

    I took a look at "internal virtual void WriteNameIDPolicy(XmlWriter writer, NameIdentifierPolicy data)", which writes the AuthnRequest. It tests a boolean and then writes it if (and only if) required....... But below is what Reflector says.   
    if (data.AllowCreate)
        {
            writer.WriteAttributeString("AllowCreate", XmlConvert.ToString(data.AllowCreate));
        }
    For the code to ever write "false" it should have been an "if then else". So I guess ADFS cannot do it.
    But the only place for an official confirmation is Microsoft Support. Getting them to fix this if the other is not folowing the standard will be a tough one.......

    Paul Lemmers

     
  • Friday, April 27, 2012 9:33 PM
     
     
    Sign In to Vote
    0

    Hello, I had the same grief with a 3rd party provider as well. I did manage to use the powershell scrips to set this to false and managed to have it show up correctly in my SAML request. I used the following PowerShell command:

    set-ADFSClaimsProviderTrust -targetname "<ENTER THE 3rd PARTY IDP HERE>" -AllowCreate $False

    The result was an AllowCreate="false" in my SAML Request to them. Hope this helps.

    - Hugh

     
  • Monday, April 30, 2012 3:07 PM
     
     
    Sign In to Vote
    0

    Hugh,

    I hate it when I leave incorrect or half information, so I'd like to put that right. I tried your tip. But in my case (ADFS RTM with Windows Update, no hotfixes, no wrapup, nothing) the AllowCreate="false" attribute is *not* sent. Of course the AllowCreate="true" disappears.

    Can you show me your SAMLRequest? What is the file version and signature date of your Microsoft.IdentityServer.dll?

    Paul Lemmers

     
  • Friday, June 01, 2012 10:59 PM
     
     
    Sign In to Vote
    0

    Paul,

    I was using ADFS 2.0 with the first update that was released for it. I don't have access to the signature date of the dll or the SAML request right now so cannot post. I may be able to dig up from an archive.

    - Hguh