InvalidNameIDPolicy working with ADFS

wcpaez picture wcpaez · Nov 11, 2016 · Viewed 17.4k times · Source

I have many clients that uses SSO, for that we use SAML 2. Many of my clients uses providers like Okta, PingIdentity and a bunch of them ADFS. Doing the integration with ADFS always at the beginning raises this error when they came back with the SAMLResponse.

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode></samlp:Status>

Im asking to use as name Identifier this:

"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

Im pretty new to SAML and I just want to know what is happening on ADFS, since this is just happening with clients that uses that.

Thanks a lot.

Answer

Sam picture Sam · Nov 11, 2016

By default, ADFS sends the NameId format as "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". You can adjust it. See: https://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims-provider-cp-during-saml-2-0-single-sign-on-sso.aspx