Geek Answers Handbook

ADFS does not pass NameID

This is how authentication is configured. - The client browser sends the request (URL below) to the ADFS client server, - The ADFS client then looks at the status of the embedded relay and redirects the request to our ADFS server. - Our ADFS will review the request and send the request to our APP.

URL here.

https://clientadfs.clientdomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%3A%2F%2ouradfs.ourdomain.com%2Fadfs%2Fls%2F%26RelayState%3DRPID%3Dhttps%3A%2F%2ourapp.ourdomain.com%2Fvaruna%2Fconsole%2Fsso.aspx%3FsamISso%26lang%3Den_CA

The request creates a blank page without errors on the ADFS server.

I got the violinist to track the client. The client uses the email address of users to identify users. I see this email address in the SAML token sent to the ADFS client. This SAML token is sent to our ADFS server, and I see a SAML response that comes out of our ADFS server. This, however, does not have a user email address. I think this is a problem.

On our ADFS server, I have a requirement of this Client (on Trusts Provider Trust) to process the user ID (which is their email address):

Claim rule name: email Incoming claim type: name identifier Incoming name format: email Original name identifier format: email Skip all requirements values.

Here is the application in the claim rule language

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
 => issue(Type = "Email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

In the ADFS client configuration, this is their email / user configuration:

IssuanceTransformRules               : @RuleTemplate = "LdapClaims"
                                       @RuleName = "Pass email"
                                       c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccou
                                       ntname", Issuer == "AD AUTHORITY"]
                                        => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/20
                                       05/05/identity/claims/nameidentifier"), query = ";mail;{0}", param = c.Value);

I have no idea what I'm doing wrong. Can anyone identify my problem? or can you suggest what i should look at?

Thank you for your help!

  • RM
+4
source share
1 answer

" ( )"

, SAML ? , .

ADFS. " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

NameId . NameId " ", , , " ". SAML.

, :

c: [ == " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", [ " http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format" ] == "urn: oasis: names: tc: SAML: 1.1: nameid-format: emailAddress" ] = > issue (Type = " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

1

ADFS :

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

emailAddress, , .

Transform .

, ? ASP.NET.

+4

More articles:


All Articles