ADFS 2.0 InvalidNameIDPolicy

Question

ADFS 2.0 InvalidNameIDPolicy

I configured the application in adfs trusted proxies, so I can log in using adfs / sso. After that, I installed simplesamlphp to work with this login and processed the saml response.

this is my authsources configuration:

'myauth' => array( 'saml:SP', 'idp' => 'http://domain/adfs/services/trust', 'privatekey' => 'saml.key', 'certificate' => 'saml.crt', ),

but after logging in to the response message, I get the following error:

Login exception: sspmod_saml_Error: Requester / InvalidNameIDPolicy Backtrace: 3 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.phprouble76 (sspmod_saml_Message :: getResponseError 2 home /......../ adfs / simplesamlphp / modules / saml / lib / Message.php: 503 (sspmod_saml_Message :: processResponse) 1 /home/......../adfs/simplesamlphp/modules /saml/www/sp/saml2-acs.php:81 (required) 0 /home/......../adfs/simplesamlphp/www/module.php:135 (N / A)

Am I missing something? How can I get this identity policy? Where to define it?

thanks

+1

php active-directory single-sign-on adfs2.0

MGP Nov 06 '13 at 16:00

source share

1 answer

nzpcmad · Answer 1 · 2013-11-06T20:29:18+0000

simplesamlphp usually uses UPN or email as NameID. You need to check the configuration.

So, in ADFS, create two requirements rules:

One for creating a claim (UPN or email) is regular LDAP.

And the conversion that takes the above and translates into a NameId request with a type of "transient".

Again, simplesamlphp may not use the transient - you need to check the configuration.

Update:

Assume UPN:

c: [Type == " http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname ", issuer == "AD AUTHITY"] => issue (store = "Active Directory", types = (" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn "), query = "; userPrincipalName; {0}", param = c.Value);

c: [Type == " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn "] => issue (Type = " http://schemas.xmlsoap.org/ws/2005 / 05 / identity / claims / nameidentifier ", issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties [" http://schemas.xmlsoap.org/ws/2005 / 05 / identity / claimproperties / format "] =" urn: oasis: names: tc: SAML: 2.0: format-name: transient ");

ADFS 2.0 InvalidNameIDPolicy

More articles: