SP Initiated SSO, MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token

I’m an SP, using SP Initiated SSO to an IDP that’s using ADFS.

Initially I had their PartnerIdentityProvider configured in my saml.config to use “NameIDFormat=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient””
I only set this because I used it successfully with a previous IDP partner.

However, when I send them an AuthNRequest, their response fails to send to me; it bombs out on their side with the following error:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token.

Any thoughts on this error; can I just remove the optional NameIDFormat; what case would i have to specificy it?

Also, I’m using the following on my side to reference their attributes:
IDictionary<string, string> attributes = (IDictionary<string, string>)Session[SAML.AssertionConsumerService.AttributesSessionKey];
Does the attributes stored also include their friendly name; can i search off friendly name?

Thanks again!

Josh


Full error provided by IDP
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

The simplest solution is to not specify a NameIDFormat as it’s not required. This then defaults to “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” which is handled by ADFS without any additional configuration required.
Our ADFS Relying Party Integration Guide explains the configuration required in ADFS if you did wish to support sending a NameIDPolicy. Please refer to the “Specifying the Name ID Format” section.
https://www.componentspace.com/Forums/9358/ADFS-Integration-Guides

The SAMLServiceProvider.ReceiveSSO method that returns a dictionary is a convenience method for the majority of use cases where you simply want the SAML attribute names and values. However, this doesn’t provide access to the SAML attribute friendly name or other information. The alternative is to use the SAMLServiceProvider.ReceiveSSO that returns a SAMLAttribute[]. You can access all the information, including the friendly name, using the SAMLAttribute class.