Solved

Active Directory Federated Services NameID

Posted on 2013-11-05
7
3,107 Views
Last Modified: 2013-11-16
Any experts out there?

We are configuring ADFS to work with OpenAM. We have encountered an issue that lots of other people have encountered but we can't seem to solve it. There are many posted solutions but none of them seem to work. We try to login, and we get a saml error. Here is the relevant error from event viewer:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          11/4/2013 12:52:04 PM
Event ID:      321
Task Category: None
Level:         Error
Keywords:      AD FS
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: sso.uat.firstmarblehead.com/ccuniversity_sso
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso
Exception details:
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.

This request failed.

There are lots of posted solutions on line:
http://blog.auth360.net/2012/09/02/adfs-as-an-identity-provider-and-saml-2-0-saas-application-integration/
http://social.msdn.microsoft.com/Forums/vstudio/en-US/ea5efcff-4221-4af1-b434-4be5245cb0fa/nameid-policy-could-not-be-satisfied?forum=Geneva
https://groups.google.com/forum/#!msg/simplesamlphp/Gu0Y5_fYZL4/Cv6egjsgI-MJ
http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx

We have created two Issuance Transform Rules:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://auth.ccuniversity.edu/adfs/services/trust");

The second rule:

c:[Type == "http://mycompany/internal/sessionid"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");


Attached is the output of Get-ADFSRelyingPartyTrust

We we have configuration problem with rule 1. Any ideas?
Get-ADFSRelyingPartyTrust.txt
0
Comment
Question by:CCUITAdmin
  • 5
  • 2
7 Comments
 
LVL 12

Expert Comment

by:piattnd
ID: 39624723
Is this from the ADFS Trace Log or the Admin Log?  To enable tracing, you need to view the analytic and debug logs within your server event viewer.  Once you do that, you should see the trace log section of ADFS.

This will give you a step by step and possibly shed more light on what's happening.  While I did spend quite a bit of time with ADFS previously, I found that almost every single relying party always did something different and took a lot of trial and error to get things fully functional.
0
 

Author Comment

by:CCUITAdmin
ID: 39624879
It's from the admin log. I'll pull the trace logs and post the relevant errors.
0
 

Author Comment

by:CCUITAdmin
ID: 39624923
Here is the decrypted/decoded saml:

Here is the post to our server, the IDP
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    ID="s2eed242413a54b59b47903b814912ab1e84144944"
                    Version="2.0"
                    IssueInstant="2013-11-05T17:17:15Z"
                    Destination="https://auth.ccuniversity.edu/adfs/ls/"
                    ForceAuthn="false"
                    IsPassive="false"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso.uat.firstmarblehead.com/ccuniversity_sso</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        SPNameQualifier="sso.uat.firstmarblehead.com/ccuniversity_sso"
                        AllowCreate="true"
                        />
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                 Comparison="exact"
                                 >
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Here is what the browser posts to their server, the SP

<samlp:Response ID="_13d60ca8-b098-4373-96e3-e344668312f6"
                Version="2.0"
                IssueInstant="2013-11-05T17:17:40.234Z"
                Destination="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="s2eed242413a54b59b47903b814912ab1e84144944"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://auth.ccuniversity.edu/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_13d60ca8-b098-4373-96e3-e344668312f6">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>8a98Uanf5TQZNwTEGU46itoq4Nc=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>aesO2KDvxadT+O2z3P84c190vBPOcHYKTZjP3Sow41iRNaMo09Tz1ERLSUw0/W3g+a67D/l5ZL5SsncsQCvhVLKwGy/JO1J1fHZuzxQ5YgoRqznYQWVUVI8x1G6ZTXuLFsnj7M5FJZNsv//uGwpPmdj/6+p7gvzkhX5mE6tCHeltKD7LDXwaO6O2XwpGNuUiYr8Zix27ZpEoVtRXrZLuSdkBhWvALyDt79MsYMRfe88FWEnWxImIMPmc/+JAj4Wnw7cSh1eSc51n2h4Ke69J2tpiiz/TgTe+N2rMDTfmHHljk6TPt1eNxMIDPIMZE1yA0NBP4QU/xf+PktNmz+rx2g==</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC9jCCAd6gAwIBAgIQca/kv1WgNI9OHqgFCiBlLDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBET01BSU5TRVJWRVIyLmNpbmN5YmlibGUucHJpdjAeFw0xMzEwMjQxODMzMjFaFw0xNDEwMjQxODMzMjFaMDcxNTAzBgNVBAMTLEFERlMgU2lnbmluZyAtIERPTUFJTlNFUlZFUjIuY2luY3liaWJsZS5wcml2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJKOTVYA9zyL6eomSCPILgGxFlVIQ4esw5AGOBt7Ws5fC8Wd2gO84T1WBErf0PCzrigIxPDCFuU9cEX91VAfKlCML5NGJl40MEvwtyBEo8sp4fq5RLmYYH7R+VqDf3nIkqmE7gPijkWAX9f0kaU8A7QKoSSUSmN+51jCft/ksFC9opNvq71zsKRP4m7qI/Geowh+a6PwiJHkTZBFImqFormVtm3UE+OyUpkagOKtK23vypIOLNXtfErsQVQO1JCTj/Bg4ECEib1yn/Kuy6yJOerSEwevFU6d8YwBkjBX8UeNBntpOA7F1Toma6vPIy+iqlf4xx2LK+a6o9A5Ac/o4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaAgfSJ/DM+lQ8IPUsdrMH4tTl/5DZmMy5fPeCouzi8DuV3igTCvBL79YDSkxU3IUvE7BFiTbZlW6qG5zPmULHZ/8Bcp00F/TVF/wbu2zWhPFfP0m79dEJNcVrEudWkNTKqQcfvvYrg+7Lm8yR4Fo2neFC6UfPyfqUD903y+0Xu+g6hUSJu+O9y9J4e2JQvMM9yA0DW8JcIXJceL3qB6Dm4vg/aiPStV3IKZRUo7FCvKNsffQl2Thjo+mbR2RRo7DSpKk/XSZhytE8F4gry0JWtShrJhlxPFuiBf8QDNkas78s4leau3JZ/zEc6TMsyxJTftxtISvpKztZa5BA0Vo/</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
        </samlp:StatusCode>
    </samlp:Status>
</samlp:Response>

Here is the error shown in the browser:

GET https://sso.uat.firstmarblehead.com/favicon.ico HTTP/1.1
Host: sso.uat.firstmarblehead.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: amlbcookie=03; BIGipServerUAT.sso.firstmarblehead.com-HTTP=1548095916.20480.0000

HTTP/?.? 404 Not Found
Date: Tue, 05 Nov 2013 17:17:40 GMT
Server: Apache/2.2.17 (Red Hat Enterprise Web Server)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

Here are the only two logs in the AD FS Tracing --> Debug category that seem important. This one is an "Information log"


Date:          10/25/2013 2:32:50 PM
Event ID:      49
Task Category: None
Level:         Information
Keywords:      ADFSSamlProtocol
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>49</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000200</Keywords>
    <TimeCreated SystemTime="2013-10-25T18:32:50.360003000Z" />
    <EventRecordID>92</EventRecordID>
    <Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
    <Execution ProcessID="5068" ThreadID="5636" ProcessorID="1" KernelTime="3" UserTime="15" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>domainserver2.cincybible.priv</Computer>
    <Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created</EventData>
    </Event>
  </UserData>
</Event>


This one is an error log:
Log Name:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
Date:          10/25/2013 2:32:50 PM
Event ID:      47
Task Category: None
Level:         Error
Keywords:      ADFSSamlProtocol
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>47</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000200</Keywords>
    <TimeCreated SystemTime="2013-10-25T18:32:50.309219800Z" />
    <EventRecordID>88</EventRecordID>
    <Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
    <Execution ProcessID="5068" ThreadID="5636" ProcessorID="2" KernelTime="3" UserTime="12" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>domainserver2.cincybible.priv</Computer>
    <Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)</EventData>
    </Event>
  </UserData>
</Event>
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:CCUITAdmin
ID: 39630419
Any ideas? Our team is stuck.
0
 

Accepted Solution

by:
CCUITAdmin earned 0 total points
ID: 39639809
So we made some progress by changing rules in ADFS (the IDP) and in OpenAM (the SP). We now get an error regarding certificates which we are optimistic we can resolve.

Here are the exact updated rules:

Rule 1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
Rule 2

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sso.uat.firstmarblehead.com/ccuniversity_sso");
This forum describes the changes made to OpenAM

http://list-archives.org/2012/09/29/openam-forgerock-org/openam-and-adfs-fedration/f/1331885749

Specifically note this section:

"> >>> Peter Major <peter.major@forgerock.com> 9/29/2012 3:04 AM >>>
>
> Go to the Federation page, and try to remove persistent nameid-format
> from both SP and IdP configuration (one of seems to be on the top of the
> nameid format, but adfs doesn't like it).
> The OpenAM side of the error is probably at handling the SAML error
> response, can you please provide the HTTP flow (or the SAML
> requests/responses)?"
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39641952
Hey CCUIT,

Apologies for not getting back here on this question, I spent what time I could last week looking into this, but didn't come up with anything groundbreaking.  In my experience with ADFS, each relying party was a "crapshoot".  What worked for one didn't seem to work for another.

I'm glad you guys seem to have worked past that part, though I'd also like to point out that asking for help with ADFS configuration is almost like asking for help with a custom program.  There are so many configuration points that can go wrong, don't be too discouraged if we can't give a completely clear answers (even though we try to).

Good luck along the way!
0
 

Author Closing Comment

by:CCUITAdmin
ID: 39653042
Really disappointed in this community. I posted info and asked for help repeatedly. I finally worked through it.
0

Featured Post

ScreenConnect 6.0 Free Trial

Want empowering updates? You're in the right place! Discover new features in ScreenConnect 6.0, based on partner feedback, to keep you business operating smoothly and optimally (the way it should be). Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question