Solved

Active Directory Federated Services NameID

Posted on 2013-11-05
7
3,268 Views
Last Modified: 2013-11-16
Any experts out there?

We are configuring ADFS to work with OpenAM. We have encountered an issue that lots of other people have encountered but we can't seem to solve it. There are many posted solutions but none of them seem to work. We try to login, and we get a saml error. Here is the relevant error from event viewer:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          11/4/2013 12:52:04 PM
Event ID:      321
Task Category: None
Level:         Error
Keywords:      AD FS
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: sso.uat.firstmarblehead.com/ccuniversity_sso
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso
Exception details:
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.

This request failed.

There are lots of posted solutions on line:
http://blog.auth360.net/2012/09/02/adfs-as-an-identity-provider-and-saml-2-0-saas-application-integration/
http://social.msdn.microsoft.com/Forums/vstudio/en-US/ea5efcff-4221-4af1-b434-4be5245cb0fa/nameid-policy-could-not-be-satisfied?forum=Geneva
https://groups.google.com/forum/#!msg/simplesamlphp/Gu0Y5_fYZL4/Cv6egjsgI-MJ
http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx

We have created two Issuance Transform Rules:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://auth.ccuniversity.edu/adfs/services/trust");

The second rule:

c:[Type == "http://mycompany/internal/sessionid"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");


Attached is the output of Get-ADFSRelyingPartyTrust

We we have configuration problem with rule 1. Any ideas?
Get-ADFSRelyingPartyTrust.txt
0
Comment
Question by:CCUITAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 12

Expert Comment

by:piattnd
ID: 39624723
Is this from the ADFS Trace Log or the Admin Log?  To enable tracing, you need to view the analytic and debug logs within your server event viewer.  Once you do that, you should see the trace log section of ADFS.

This will give you a step by step and possibly shed more light on what's happening.  While I did spend quite a bit of time with ADFS previously, I found that almost every single relying party always did something different and took a lot of trial and error to get things fully functional.
0
 

Author Comment

by:CCUITAdmin
ID: 39624879
It's from the admin log. I'll pull the trace logs and post the relevant errors.
0
 

Author Comment

by:CCUITAdmin
ID: 39624923
Here is the decrypted/decoded saml:

Here is the post to our server, the IDP
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    ID="s2eed242413a54b59b47903b814912ab1e84144944"
                    Version="2.0"
                    IssueInstant="2013-11-05T17:17:15Z"
                    Destination="https://auth.ccuniversity.edu/adfs/ls/"
                    ForceAuthn="false"
                    IsPassive="false"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso.uat.firstmarblehead.com/ccuniversity_sso</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        SPNameQualifier="sso.uat.firstmarblehead.com/ccuniversity_sso"
                        AllowCreate="true"
                        />
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                 Comparison="exact"
                                 >
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Here is what the browser posts to their server, the SP

<samlp:Response ID="_13d60ca8-b098-4373-96e3-e344668312f6"
                Version="2.0"
                IssueInstant="2013-11-05T17:17:40.234Z"
                Destination="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="s2eed242413a54b59b47903b814912ab1e84144944"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://auth.ccuniversity.edu/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_13d60ca8-b098-4373-96e3-e344668312f6">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>8a98Uanf5TQZNwTEGU46itoq4Nc=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>aesO2KDvxadT+O2z3P84c190vBPOcHYKTZjP3Sow41iRNaMo09Tz1ERLSUw0/W3g+a67D/l5ZL5SsncsQCvhVLKwGy/JO1J1fHZuzxQ5YgoRqznYQWVUVI8x1G6ZTXuLFsnj7M5FJZNsv//uGwpPmdj/6+p7gvzkhX5mE6tCHeltKD7LDXwaO6O2XwpGNuUiYr8Zix27ZpEoVtRXrZLuSdkBhWvALyDt79MsYMRfe88FWEnWxImIMPmc/+JAj4Wnw7cSh1eSc51n2h4Ke69J2tpiiz/TgTe+N2rMDTfmHHljk6TPt1eNxMIDPIMZE1yA0NBP4QU/xf+PktNmz+rx2g==</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC9jCCAd6gAwIBAgIQca/kv1WgNI9OHqgFCiBlLDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBET01BSU5TRVJWRVIyLmNpbmN5YmlibGUucHJpdjAeFw0xMzEwMjQxODMzMjFaFw0xNDEwMjQxODMzMjFaMDcxNTAzBgNVBAMTLEFERlMgU2lnbmluZyAtIERPTUFJTlNFUlZFUjIuY2luY3liaWJsZS5wcml2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJKOTVYA9zyL6eomSCPILgGxFlVIQ4esw5AGOBt7Ws5fC8Wd2gO84T1WBErf0PCzrigIxPDCFuU9cEX91VAfKlCML5NGJl40MEvwtyBEo8sp4fq5RLmYYH7R+VqDf3nIkqmE7gPijkWAX9f0kaU8A7QKoSSUSmN+51jCft/ksFC9opNvq71zsKRP4m7qI/Geowh+a6PwiJHkTZBFImqFormVtm3UE+OyUpkagOKtK23vypIOLNXtfErsQVQO1JCTj/Bg4ECEib1yn/Kuy6yJOerSEwevFU6d8YwBkjBX8UeNBntpOA7F1Toma6vPIy+iqlf4xx2LK+a6o9A5Ac/o4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaAgfSJ/DM+lQ8IPUsdrMH4tTl/5DZmMy5fPeCouzi8DuV3igTCvBL79YDSkxU3IUvE7BFiTbZlW6qG5zPmULHZ/8Bcp00F/TVF/wbu2zWhPFfP0m79dEJNcVrEudWkNTKqQcfvvYrg+7Lm8yR4Fo2neFC6UfPyfqUD903y+0Xu+g6hUSJu+O9y9J4e2JQvMM9yA0DW8JcIXJceL3qB6Dm4vg/aiPStV3IKZRUo7FCvKNsffQl2Thjo+mbR2RRo7DSpKk/XSZhytE8F4gry0JWtShrJhlxPFuiBf8QDNkas78s4leau3JZ/zEc6TMsyxJTftxtISvpKztZa5BA0Vo/</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
        </samlp:StatusCode>
    </samlp:Status>
</samlp:Response>

Here is the error shown in the browser:

GET https://sso.uat.firstmarblehead.com/favicon.ico HTTP/1.1
Host: sso.uat.firstmarblehead.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: amlbcookie=03; BIGipServerUAT.sso.firstmarblehead.com-HTTP=1548095916.20480.0000

HTTP/?.? 404 Not Found
Date: Tue, 05 Nov 2013 17:17:40 GMT
Server: Apache/2.2.17 (Red Hat Enterprise Web Server)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

Here are the only two logs in the AD FS Tracing --> Debug category that seem important. This one is an "Information log"


Date:          10/25/2013 2:32:50 PM
Event ID:      49
Task Category: None
Level:         Information
Keywords:      ADFSSamlProtocol
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>49</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000200</Keywords>
    <TimeCreated SystemTime="2013-10-25T18:32:50.360003000Z" />
    <EventRecordID>92</EventRecordID>
    <Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
    <Execution ProcessID="5068" ThreadID="5636" ProcessorID="1" KernelTime="3" UserTime="15" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>domainserver2.cincybible.priv</Computer>
    <Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created</EventData>
    </Event>
  </UserData>
</Event>


This one is an error log:
Log Name:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
Date:          10/25/2013 2:32:50 PM
Event ID:      47
Task Category: None
Level:         Error
Keywords:      ADFSSamlProtocol
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>47</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000200</Keywords>
    <TimeCreated SystemTime="2013-10-25T18:32:50.309219800Z" />
    <EventRecordID>88</EventRecordID>
    <Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
    <Execution ProcessID="5068" ThreadID="5636" ProcessorID="2" KernelTime="3" UserTime="12" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>domainserver2.cincybible.priv</Computer>
    <Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)</EventData>
    </Event>
  </UserData>
</Event>
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:CCUITAdmin
ID: 39630419
Any ideas? Our team is stuck.
0
 

Accepted Solution

by:
CCUITAdmin earned 0 total points
ID: 39639809
So we made some progress by changing rules in ADFS (the IDP) and in OpenAM (the SP). We now get an error regarding certificates which we are optimistic we can resolve.

Here are the exact updated rules:

Rule 1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
Rule 2

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sso.uat.firstmarblehead.com/ccuniversity_sso");
This forum describes the changes made to OpenAM

http://list-archives.org/2012/09/29/openam-forgerock-org/openam-and-adfs-fedration/f/1331885749

Specifically note this section:

"> >>> Peter Major <peter.major@forgerock.com> 9/29/2012 3:04 AM >>>
>
> Go to the Federation page, and try to remove persistent nameid-format
> from both SP and IdP configuration (one of seems to be on the top of the
> nameid format, but adfs doesn't like it).
> The OpenAM side of the error is probably at handling the SAML error
> response, can you please provide the HTTP flow (or the SAML
> requests/responses)?"
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39641952
Hey CCUIT,

Apologies for not getting back here on this question, I spent what time I could last week looking into this, but didn't come up with anything groundbreaking.  In my experience with ADFS, each relying party was a "crapshoot".  What worked for one didn't seem to work for another.

I'm glad you guys seem to have worked past that part, though I'd also like to point out that asking for help with ADFS configuration is almost like asking for help with a custom program.  There are so many configuration points that can go wrong, don't be too discouraged if we can't give a completely clear answers (even though we try to).

Good luck along the way!
0
 

Author Closing Comment

by:CCUITAdmin
ID: 39653042
Really disappointed in this community. I posted info and asked for help repeatedly. I finally worked through it.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question