ADFS integration - claim missing http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2nameidformat

Question

After integration with Okta, I'm trying to integrating SSO with ADFS.

All goes smooth until logout.

I have an exception:

Caught Exception:  System.ArgumentNullException: Value cannot be null. (Parameter 'uriString')
   at System.Uri..ctor(String uriString)
   at ITfoxtec.Identity.Saml2.Saml2LogoutRequest..ctor(Saml2Configuration config, ClaimsPrincipal currentPrincipal)
   at SiqApi.Controllers.Login.LoginController.Logout() in C:.....

After digging to the code, I found that ADFS missing the following claim (exists in Orka claims):

http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2nameidformat - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

The source of the exception is in the Saml2LogoutRequest constructor

new Uri(Saml2LogoutRequest.ReadClaimValue(identity, "http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2nameidformat", false))

Am I missing something in the ADFS configuration?

Please, advise.

score 1 · Accepted Answer · answered Jan 03 '21 at 14:17

1

You need to change the configuration on the AD FS to issue the NameID with a format. A NameID with a format is required to do logout.

AD FS is unfortunately capable of issuing a NameID without a format, which causes this error.

answered Jan 03 '21 at 14:17

Anders Revsgaard

3,636
1
9
25

There is no requirement of which format, just that a format is present. – Anders Revsgaard Jan 03 '21 at 20:16
1

This article helped me to configure it https://idmengineering.com/adfs-sending-nameid-with-specific-format/ – borismee Jan 04 '21 at 13:47

ADFS integration - claim missing http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2nameidformat

1 Answers1