I’m not very familiar with ADFS, but it seems whenever I attempt to integrate with an ADFS IdP, they always run into some sort of NameIDPolicy issue. My AuthnRequest contains a a NameIDPolicy and I always get back an InvalidNameIDPolicy error. I tried setting the format value to all things defined in their metadata, but no luck. I guess they need to do something on their end to enable, or allow it. Is there something on my end I can adjust or is there some magic ADFS words I can tell them so they know what they need to do on their end?
Thanks!
By default the authn request specifies “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” as the NameIDPolicy. This works with ADFS.
You can specify a different NameIDPolicy in the authn request through the SAML configuration NameIDFormat.
Have you tried the default “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”?
I also suggest taking a look at the ADFS event log for more details.
I also suggest taking a look at the ADFS event log for more details.
Did you ever figure a solution to this? I am experiencing the exact same issue with an ADFS that is setup for auto-update with metadata.
Sorry to both of you as I did not have notifications enabled. Yes, I did figure it out. I had tried specifying different name ID format values to no avail. I guess ADFS needs a claim rule transform as it doesn’t understand NameIDPolicy. So, if your ADFS counterpart knows what that is, great, they can do something about it. Otherwise, you can set NameIDFormat to null which will cause the following to be sent: <samlp:NameIDPolicy AllowCreate=“true” /> which works for them out of the box.
We use the default value of “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” as the NameIDPolicy and haven’t been able to get this to fail with ADFS.
The ADFS configuration we use is documented in our Developer Guide.
It would be interesting to compare ADFS configurations. There must be some setting on the ADFS side that is causing the issue for some users but not for others.