locked
NameID Policy could not be satisfied. RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi!
    I'm trying to connect a LAMP application using simpleSAMLPHP to ADFS 2.0 RC as SP but of some reason I can't get it to work, could someone guide me in the correct direction to solve my problem?

    The error message tells me to "Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier", the name identifier is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", how do I configure for emitting that?

    This is the error I get from ADFS:
    _____________________________
    The SAML authentication request had a NameID Policy that could not be satisfied.
    Exception details:
    MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: null.

    This request failed.

    User Action
    Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier.
    _____________________________

    //Henrik
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
    Thursday, January 14, 2010 3:49 PM

Answers

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    You can create name identifier per requested policy by creating two rules in RP issuance policy. We are going to blog more about name identifiers soon (check http://blogs.msdn.com/card/). But here is ready to use solution.

    First create transient user identifier by adding advance rule. For example:

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] &&
    c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
     => add(
           store = "_OpaqueIdStore",
           types = ("http://mycompany/internal/sessionid"),
           query = "{0};{1};{2};{3};{4}",
           param = "useEntropy",
           param = c1.Value,
           param = c1.OriginalIssuer,
           param = "",
           param = c2.Value);

    Then add create claim transformation rule:
        1. Incoming claim type is "http://mycompany/internal/sessionid"
        2. Outgoing claim type is "Name ID"
        3. Outgoing name ID format is Transient Identifier

    Friday, January 15, 2010 3:23 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks a lot Mieszko!!!
    That did the trick!

    //Henrik
    Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
    Saturday, January 16, 2010 8:28 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi.
    I have a similar error messsage when using Sun OpenSSO as SP

    "Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: https://sol10.godisgrottan.net:8181/opensso. Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier:  SPNameQualifier: , SPProvidedId: .
    "

    I've tried the solution above with no success...

    Thanks in advance
    //Ingvar
    Thursday, January 28, 2010 9:26 AM
  • Question
    Sign in to vote
    1
    Sign in to vote
    Ingvar, you will need to also set the SPNameQualifier to match the one in your request.  You must configure this as an advanced rule.

    Find your existing rule, which will look similar to this:

    c:[Type == "http://mycompany/internal/sessionid"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

    Then, customize it to also set the SPNameQualifier property:

    c:[Type == "http://mycompany/internal/sessionid"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://sol10.godisgrottan.net:8181/opensso"
    );


    Hope this helps,
    Colin
    Friday, January 29, 2010 7:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I'm trying to build a SP to integrate with ADFS2.0. I've read many posts, including this one, and have not quite got to a solution. This post - adding the two claim rules as per Mieszko's instructions - allowed me to get rid of this error (appearing in the event log):

    MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: , NameQualifier:  SPNameQualifier: , SPProvidedId: .

    So that was a step forward. However, the result is a name ID that's encrypted:

    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">q2a1NbfZJPijziQXJVFV69KS5/wtMmIcr1meeWes8LY=</NameID>

    I have two questions and would be grateful for any assistance:

    1. How do I decrypt the username? I've tried using the certificate's I can find in ADFS, but perhaps there's another?

    2. How can I modify the custom rules as outlined by Mieszko to output an email address, Windows username, X509, etc. I've tried modifying the transform rule but any change results in no assertions in the SAML response.

    For your reference, here is the SAML request:

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://target/test.jsp" Destination="https://server2008r2.domain2008r2.local/adfs/ls/" ID="ID_4434a24e-6033-9a8f-b0c9-6efb1c645f62" IssueInstant="2011-11-14T21:59:58.887Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">myissuer</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>

    Are there any errors in this request?

    I look forward to any assistance.


    John


    • Edited by jmbaker Monday, November 14, 2011 10:09 PM
    Monday, November 14, 2011 10:09 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm getting this message below:

     

    The SAML authentication request had a NameID Policy that could not be satisfied.
    Requestor: XXXXXXXX.zendesk.com
    Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    SPNameQualifier: 
    Exception details:
    MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: null.

    I have tried several combinations of solutions people have suggested here, but can't seem to get any of them working.  Suggestions?

    Thursday, January 26, 2012 11:17 PM