0

I'm using Issuance Policy as:

Rule 1:

enter image description here

Rule 2 (custom):

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
Issuer = c.Issuer, 
OriginalIssuer = c.OriginalIssuer, 
Value = c.Value, 
ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", 
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "https://fs.hhres.com/adfs/services/trust", 
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sp_test");

When I try to login, it gives me error (from Event Viewer)-

The SAML authentication request had a NameID Policy that could not be satisfied.

Requestor: BambooHR-SAML

Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier:

Exception details: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: https://adfs_url/adfs/services/trust SPNameQualifier: sp_test, SPProvidedId: .

This request failed.

User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.

Can someone please explain what I'm doing wrong and what needs to be done?

soccer7
  • 185
  • 2
  • 13

2 Answers2

1

I resolved this by changing the line-

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",

into 

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
soccer7
  • 185
  • 2
  • 13
  • Yup - that would work as well. Re. above - Incoming : select email Outgoing : select NameID. That allows the format box for editing - select email. This way is far easier then writing "Properties". – rbrayb Jul 10 '18 at 21:19
  • It didn't work and gives same error. That make my rule as: `c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"); ` – soccer7 Jul 10 '18 at 21:35
0

It wants a NameID format of emailAddress and you are supplying one of transient.

The easiest way to do this is via a Transform rule.

Transform email to NameID and pick email format from the drop-down.

rbrayb
  • 1,108
  • 1
  • 12
  • 20
  • When I select "Transform an Incoming Claim", it gives many textboxes `Incoming Claim Type`, `Incoming name ID format`, `Outgoing Claim Type` and `Outgoing name ID format`. Can you please update your answer with the values that should be used in each of them? – soccer7 Jul 10 '18 at 19:58