locked
ADFS 3.0 with NO pass-through work with SAML? RRS feed

  • Question

  • Our ADFS environment does not use authentication pass-through, based on the number of open systems, classrooms etc. We are trying to set up a Relaying Party Trust set up, but are having no luck. They are stating that NameID is not being released to the SAML assertion. It routes to our ADFS login site, but when someone attempts to log in, it goes back to their login site and errors.

    How can we check on this or troubleshoot it? Can SAML work without ADFS pass-through?

    Friday, July 14, 2017 3:05 PM

Answers

  • Ok we got it by just sending an LDAP attribute as the claim rather than trying to do a transform.
    • Marked as answer by CSCTool Tuesday, July 18, 2017 4:11 PM
    • Edited by CSCTool Tuesday, July 18, 2017 4:12 PM
    Monday, July 17, 2017 5:47 PM

All replies

  • To start with, if you get an error on ADFS login page, check Admin event logs, you can enable debug logging and get more informaiton. 

    If their RP does not like, take a fiddler and see what are you passing in the token. You can also enable auditing to see what attributes are passing in the SAML Token

    Friday, July 14, 2017 8:40 PM
  • Do you have a Transform claim rule transforming something like email to NameID?

    Sunday, July 16, 2017 6:58 PM
  • Ok we got it by just sending an LDAP attribute as the claim rather than trying to do a transform.
    • Marked as answer by CSCTool Tuesday, July 18, 2017 4:11 PM
    • Edited by CSCTool Tuesday, July 18, 2017 4:12 PM
    Monday, July 17, 2017 5:47 PM
  • The SAML RP should use a token signing certificate to sign the logout request, then Single Logout (SLO) works.

    http://blog.auth360.net

    Monday, July 17, 2017 7:25 PM