Solved

Active Directory Federated Services NameID

Posted on 2013-11-05
7
2,959 Views
Last Modified: 2013-11-16
Any experts out there?

We are configuring ADFS to work with OpenAM. We have encountered an issue that lots of other people have encountered but we can't seem to solve it. There are many posted solutions but none of them seem to work. We try to login, and we get a saml error. Here is the relevant error from event viewer:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          11/4/2013 12:52:04 PM
Event ID:      321
Task Category: None
Level:         Error
Keywords:      AD FS
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: sso.uat.firstmarblehead.com/ccuniversity_sso
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso
Exception details:
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.

This request failed.

There are lots of posted solutions on line:
http://blog.auth360.net/2012/09/02/adfs-as-an-identity-provider-and-saml-2-0-saas-application-integration/
http://social.msdn.microsoft.com/Forums/vstudio/en-US/ea5efcff-4221-4af1-b434-4be5245cb0fa/nameid-policy-could-not-be-satisfied?forum=Geneva
https://groups.google.com/forum/#!msg/simplesamlphp/Gu0Y5_fYZL4/Cv6egjsgI-MJ
http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx

We have created two Issuance Transform Rules:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://auth.ccuniversity.edu/adfs/services/trust");

The second rule:

c:[Type == "http://mycompany/internal/sessionid"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");


Attached is the output of Get-ADFSRelyingPartyTrust

We we have configuration problem with rule 1. Any ideas?
Get-ADFSRelyingPartyTrust.txt
0
Comment
Question by:CCUITAdmin
  • 5
  • 2
7 Comments
 
LVL 12

Expert Comment

by:piattnd
ID: 39624723
Is this from the ADFS Trace Log or the Admin Log?  To enable tracing, you need to view the analytic and debug logs within your server event viewer.  Once you do that, you should see the trace log section of ADFS.

This will give you a step by step and possibly shed more light on what's happening.  While I did spend quite a bit of time with ADFS previously, I found that almost every single relying party always did something different and took a lot of trial and error to get things fully functional.
0
 

Author Comment

by:CCUITAdmin
ID: 39624879
It's from the admin log. I'll pull the trace logs and post the relevant errors.
0
 

Author Comment

by:CCUITAdmin
ID: 39624923
Here is the decrypted/decoded saml:

Here is the post to our server, the IDP
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    ID="s2eed242413a54b59b47903b814912ab1e84144944"
                    Version="2.0"
                    IssueInstant="2013-11-05T17:17:15Z"
                    Destination="https://auth.ccuniversity.edu/adfs/ls/"
                    ForceAuthn="false"
                    IsPassive="false"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso.uat.firstmarblehead.com/ccuniversity_sso</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        SPNameQualifier="sso.uat.firstmarblehead.com/ccuniversity_sso"
                        AllowCreate="true"
                        />
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                 Comparison="exact"
                                 >
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Here is what the browser posts to their server, the SP

<samlp:Response ID="_13d60ca8-b098-4373-96e3-e344668312f6"
                Version="2.0"
                IssueInstant="2013-11-05T17:17:40.234Z"
                Destination="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="s2eed242413a54b59b47903b814912ab1e84144944"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://auth.ccuniversity.edu/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_13d60ca8-b098-4373-96e3-e344668312f6">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>8a98Uanf5TQZNwTEGU46itoq4Nc=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>aesO2KDvxadT+O2z3P84c190vBPOcHYKTZjP3Sow41iRNaMo09Tz1ERLSUw0/W3g+a67D/l5ZL5SsncsQCvhVLKwGy/JO1J1fHZuzxQ5YgoRqznYQWVUVI8x1G6ZTXuLFsnj7M5FJZNsv//uGwpPmdj/6+p7gvzkhX5mE6tCHeltKD7LDXwaO6O2XwpGNuUiYr8Zix27ZpEoVtRXrZLuSdkBhWvALyDt79MsYMRfe88FWEnWxImIMPmc/+JAj4Wnw7cSh1eSc51n2h4Ke69J2tpiiz/TgTe+N2rMDTfmHHljk6TPt1eNxMIDPIMZE1yA0NBP4QU/xf+PktNmz+rx2g==</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC9jCCAd6gAwIBAgIQca/kv1WgNI9OHqgFCiBlLDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBET01BSU5TRVJWRVIyLmNpbmN5YmlibGUucHJpdjAeFw0xMzEwMjQxODMzMjFaFw0xNDEwMjQxODMzMjFaMDcxNTAzBgNVBAMTLEFERlMgU2lnbmluZyAtIERPTUFJTlNFUlZFUjIuY2luY3liaWJsZS5wcml2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJKOTVYA9zyL6eomSCPILgGxFlVIQ4esw5AGOBt7Ws5fC8Wd2gO84T1WBErf0PCzrigIxPDCFuU9cEX91VAfKlCML5NGJl40MEvwtyBEo8sp4fq5RLmYYH7R+VqDf3nIkqmE7gPijkWAX9f0kaU8A7QKoSSUSmN+51jCft/ksFC9opNvq71zsKRP4m7qI/Geowh+a6PwiJHkTZBFImqFormVtm3UE+OyUpkagOKtK23vypIOLNXtfErsQVQO1JCTj/Bg4ECEib1yn/Kuy6yJOerSEwevFU6d8YwBkjBX8UeNBntpOA7F1Toma6vPIy+iqlf4xx2LK+a6o9A5Ac/o4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaAgfSJ/DM+lQ8IPUsdrMH4tTl/5DZmMy5fPeCouzi8DuV3igTCvBL79YDSkxU3IUvE7BFiTbZlW6qG5zPmULHZ/8Bcp00F/TVF/wbu2zWhPFfP0m79dEJNcVrEudWkNTKqQcfvvYrg+7Lm8yR4Fo2neFC6UfPyfqUD903y+0Xu+g6hUSJu+O9y9J4e2JQvMM9yA0DW8JcIXJceL3qB6Dm4vg/aiPStV3IKZRUo7FCvKNsffQl2Thjo+mbR2RRo7DSpKk/XSZhytE8F4gry0JWtShrJhlxPFuiBf8QDNkas78s4leau3JZ/zEc6TMsyxJTftxtISvpKztZa5BA0Vo/</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
        </samlp:StatusCode>
    </samlp:Status>
</samlp:Response>

Here is the error shown in the browser:

GET https://sso.uat.firstmarblehead.com/favicon.ico HTTP/1.1
Host: sso.uat.firstmarblehead.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: amlbcookie=03; BIGipServerUAT.sso.firstmarblehead.com-HTTP=1548095916.20480.0000

HTTP/?.? 404 Not Found
Date: Tue, 05 Nov 2013 17:17:40 GMT
Server: Apache/2.2.17 (Red Hat Enterprise Web Server)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

Here are the only two logs in the AD FS Tracing --> Debug category that seem important. This one is an "Information log"


Date:          10/25/2013 2:32:50 PM
Event ID:      49
Task Category: None
Level:         Information
Keywords:      ADFSSamlProtocol
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>49</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000200</Keywords>
    <TimeCreated SystemTime="2013-10-25T18:32:50.360003000Z" />
    <EventRecordID>92</EventRecordID>
    <Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
    <Execution ProcessID="5068" ThreadID="5636" ProcessorID="1" KernelTime="3" UserTime="15" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>domainserver2.cincybible.priv</Computer>
    <Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created</EventData>
    </Event>
  </UserData>
</Event>


This one is an error log:
Log Name:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
Date:          10/25/2013 2:32:50 PM
Event ID:      47
Task Category: None
Level:         Error
Keywords:      ADFSSamlProtocol
User:          CBC\adfsuser
Computer:      domainserver2.cincybible.priv
Description:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>47</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000200</Keywords>
    <TimeCreated SystemTime="2013-10-25T18:32:50.309219800Z" />
    <EventRecordID>88</EventRecordID>
    <Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
    <Execution ProcessID="5068" ThreadID="5636" ProcessorID="2" KernelTime="3" UserTime="12" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>domainserver2.cincybible.priv</Computer>
    <Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)</EventData>
    </Event>
  </UserData>
</Event>
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:CCUITAdmin
ID: 39630419
Any ideas? Our team is stuck.
0
 

Accepted Solution

by:
CCUITAdmin earned 0 total points
ID: 39639809
So we made some progress by changing rules in ADFS (the IDP) and in OpenAM (the SP). We now get an error regarding certificates which we are optimistic we can resolve.

Here are the exact updated rules:

Rule 1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
Rule 2

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sso.uat.firstmarblehead.com/ccuniversity_sso");
This forum describes the changes made to OpenAM

http://list-archives.org/2012/09/29/openam-forgerock-org/openam-and-adfs-fedration/f/1331885749

Specifically note this section:

"> >>> Peter Major <peter.major@forgerock.com> 9/29/2012 3:04 AM >>>
>
> Go to the Federation page, and try to remove persistent nameid-format
> from both SP and IdP configuration (one of seems to be on the top of the
> nameid format, but adfs doesn't like it).
> The OpenAM side of the error is probably at handling the SAML error
> response, can you please provide the HTTP flow (or the SAML
> requests/responses)?"
0
 
LVL 12

Expert Comment

by:piattnd
ID: 39641952
Hey CCUIT,

Apologies for not getting back here on this question, I spent what time I could last week looking into this, but didn't come up with anything groundbreaking.  In my experience with ADFS, each relying party was a "crapshoot".  What worked for one didn't seem to work for another.

I'm glad you guys seem to have worked past that part, though I'd also like to point out that asking for help with ADFS configuration is almost like asking for help with a custom program.  There are so many configuration points that can go wrong, don't be too discouraged if we can't give a completely clear answers (even though we try to).

Good luck along the way!
0
 

Author Closing Comment

by:CCUITAdmin
ID: 39653042
Really disappointed in this community. I posted info and asked for help repeatedly. I finally worked through it.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
factorial example challenge 10 61
mapShare challenge 13 68
Arduino EDI - Programming language 3 60
python sqlite question 11 42
This is about my first experience with programming Arduino.
Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now