Issue
A customer is using a cloud hosted intranet based on Drupal. They have configured authentication for Drupal users against their ADFS Server (ADFS 2012R2 used to provide single sign on with SAML 2.0).
In ADFS, the Relying Party Trust has been created by importing federation metadata (via URL).
The authentication source test in Drupal fails, below are the test steps.
Access the simpleSAML backend (e.g. https://drupal.x500.co.uk/simplesaml).
Enter the admin credentials, click Login.
Click on the Authentication tab, then on Test configured authentication sources.
Click on the relevant authentication source.
This redirects the client to ADFS Sign-in Page: enter AD account credentials, click Sign in.
ADFS authenticates the user against AD, however Drupal throws up the following error:
Exception during login:
sspmod_saml_Error: Requester/InvalidNameIDPolicyBacktrace:
3 /var/www/live/private/simplesamlphp/modules/saml/lib/Message.php:376 (sspmod_saml_Message::getResponseError)
2 /var/www/live/private/simplesamlphp/modules/saml/lib/Message.php:503 (sspmod_saml_Message::processResponse)
1 /var/www/live/private/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require)
0 /var/www/live/private/simplesamlphp/www/module.php:135 (N/A)
On the ADFS Server, the following event is logged in the AD FS/Admin event log.
Event ID: 321 / Level: Error
Description: The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: https://drupal.x500.co.uk/simplesaml/module.php/saml/sp/metadata.php/myad-sp
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: null.
This request failed.
User Action
Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
Resolution
From the error messages above, it is clear that simpleSAML and ADFS are complaining about the same thing: a lack of NameID Policy.
I added two Issuance Transform Rules as detailed below, it is the second rule that is crucial in resolving this issue as it allows simpleSAML to speak to ADFS.
Edit Claim Rules – Relying Party Trust (select the relevant Relying Party Trust. Click Edit Claim Rules from the sidebar).
Rule 1:
- Based on: Send LDAP Attributes as Claims
- Attribute store: Active Directory
- LDAP Attribute: User-Principal-Name / Outgoing Claim Type: UPN
Rule 2:
- Based on: Transform an Incoming Claim
- Incoming claim type: UPN
- Outgoing claim type: Name ID
- Outgoing name ID format: Transient Identifier
With the above rules in place, the Drupal authentication test is now successful. Sorted!