ADFS: The SAML authentication request had a NameID Policy that could not be satisfied

Active Directory, ADFS, SAML Leave a comment

Issue

A customer is using a cloud hosted intranet based on Drupal.  They have configured authentication for Drupal users against their ADFS Server (ADFS 2012R2 used to provide single sign on with SAML 2.0).

In ADFS, the Relying Party Trust has been created by importing federation metadata (via URL).

The authentication source test in Drupal fails, below are the test steps.

Access the simpleSAML backend (e.g. https://drupal.x500.co.uk/simplesaml).

Enter the admin credentials, click Login.

Drupal1

Click on the Authentication tab, then on Test configured authentication sources.

Drupal2

Click on the relevant authentication source.

Drupal3

This redirects the client to ADFS Sign-in Page: enter AD account credentials, click Sign in.

Drupal4

ADFS authenticates the user against AD, however Drupal throws up the following error:

Drupal5

Exception during login:
sspmod_saml_Error: Requester/InvalidNameIDPolicy
Backtrace:
3 /var/www/live/private/simplesamlphp/modules/saml/lib/Message.php:376 (sspmod_saml_Message::getResponseError)
2 /var/www/live/private/simplesamlphp/modules/saml/lib/Message.php:503 (sspmod_saml_Message::processResponse)
1 /var/www/live/private/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require)
0 /var/www/live/private/simplesamlphp/www/module.php:135 (N/A)

On the ADFS Server, the following event is logged in the AD FS/Admin event log.

Event ID: 321 / Level: Error
Description: The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: https://drupal.x500.co.uk/simplesaml/module.php/saml/sp/metadata.php/myad-sp
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: null.
This request failed.
User Action
Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.

Resolution

From the error messages above, it is clear that simpleSAML and ADFS are complaining about the same thing: a lack of NameID Policy.

I added two Issuance Transform Rules as detailed below, it is the second rule that is crucial in resolving this issue as it allows simpleSAML to speak to ADFS.

Edit Claim Rules – Relying Party Trust (select the relevant Relying Party Trust.  Click Edit Claim Rules from the sidebar).

Claims3

Rule 1:

  • Based on: Send LDAP Attributes as Claims
  • Attribute store: Active Directory
  • LDAP Attribute: User-Principal-Name / Outgoing Claim Type: UPN

Claims1

Rule 2:

  • Based on: Transform an Incoming Claim
  • Incoming claim type: UPN
  • Outgoing claim type: Name ID
  • Outgoing name ID format: Transient Identifier

Claims2

With the above rules in place, the Drupal authentication test is now successful.  Sorted!

Drupal6

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s