locked
NameIDPolicy not satisfied by the issued token RRS feed

  • Question

  • Hello guys!

    I'm really new on the ADFS. My current environment is running on a Server 2012 R2 and I have one 3rd Party App that is working with my ADFS, I can login on that app using my credentials.

    Now, I'm trying to configure another App and I have upload the App .XML. I've configured some Claim rules but looks like it is not working. The App guys are using some URL to test everything and I see this error in my event viewer:

    Exception details: 
    Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: sp-prod. Actual NameID properties: null.

    I have only one claim at this moment. Please see attached.

    I'm not sure if the problem is on my side of if they are missing something.

    Can you guys help me?

    Thanks!

    Diego


    Thursday, October 3, 2019 4:03 PM

All replies

  • Do a Transform rule taking the attribute you are using for NameID e.g. email and transform to NameID format unspecified.

    Thursday, October 3, 2019 9:04 PM
  • Hey nzpcmad1!

    Thanks for your help, but it did not work. I've also tried different claims but no way.

    Is there anything else to do?

    Diego

    Thursday, October 3, 2019 10:46 PM
  • Did you check with the application provider to see what should be the claim configuration?

    Mark the answer if it helps you.

    Friday, October 4, 2019 2:13 PM
  • Yes, they told me they use Name ID unspecified.
    Friday, October 4, 2019 2:24 PM
  • Can you try sAM-Account-Name instead of Persistent Identifier.

    Mark the answer if it helps you.

    Friday, October 4, 2019 3:16 PM
  • Hey Sugathan J,

    I do not see that option there. Here what I have:

    Friday, October 4, 2019 3:25 PM
  • Did you try Unspecified for both incoming and outgoing format? Looks like there is a mismatch in claim rules.

    Mark the answer if it helps you.

    Friday, October 4, 2019 3:53 PM
  • Yes, I did for both as well. No way of this working:

    MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: sp-prod. Actual NameID properties: null. 
    Friday, October 4, 2019 4:09 PM
  • Use SAML tracer for chrome and check what is happening.

    Mark the answer if it helps you.

    Friday, October 4, 2019 4:21 PM
  • It does not show anything else than the InvalidNameIDPolicy
    Friday, October 4, 2019 4:49 PM
  • Your Transform rule needs "Incoming claim type" = email.

    "Outgoing claim type" = NameID - format "unspecified".

    Monday, October 7, 2019 6:52 PM
  • Wednesday, February 19, 2020 2:04 PM