Invalid NameID policy RRS feed

  • Question

  • Setup Claim rules as follows:

    1. Create a claim with template "Send LDAP attributes as Claims". Select"E-Mail-Addresses" for "LDAP attribute" and "E-Mail Address" for "Outgoing Claim Type".
    2. Create another claim with template "Transform an Incoming Claim". "Incoming claim type" shall be "E-Mail Address", "Outgoing claim type" shall be "Name ID", "Outgoing name ID format" shall be "Email" and option "Pass through all claim values" shall be selected.

    Error I get is:

    The SAML authentication request had a NameID Policy that could not be satisfied.

    Requestor: xxxxxxxxxxx.xxxxxxxx.xxx

    Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress


    Exception details:

    MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, NameQualifier:  SPNameQualifier: , SPProvidedId: .

    This request failed.

    User Action

    Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier.

    Based on the claim rule i am passing email address as the NameID but it is passing as unspecified instead of emailaddress

    Jim Mangan Lead Systems Administrator

    Tuesday, October 15, 2013 2:02 PM

All replies

  • What NameId format is specified in the metadata?

    It looks like it is specified as "unspecified" ?

    What happens when you change the "Outgoing name ID format" to "unspecified?

    Tuesday, October 15, 2013 6:01 PM