How to change claim type of relying party trust from SAML 2.0 to SAML 1.1? RRS feed

  • Question

  • Hi,

    We have a scenario where our customer has ADFS 3.0 installed and configured on their side. We are hosting a web site which utilizes ADFS 2.0. This web application uses WIF and the authentication flow is a relying party initiated sign-on so the end user at our customer side uses browser to navigate first to our web site and from there the authentication steps are redirected to the end user organization ADFS to get the token and claims.

    We have run into the issue described here: https://social.technet.microsoft.com/wiki/contents/articles/1431.ad-fs-2-0-the-admin-event-log-shows-error-111-with-system-argumentexception-id4216.aspx

    More specifically the SAM-account-name claim seems to be of wrong type if I have understood the issue correctly. In the ADFS event log on the customer's side, there is the following error:

    Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ArgumentException: ID4216: The ClaimType 'SAM-Account-Name' must be of format 'namespace'/'name'.

    When we look at the claim rule on the customer's side relying party trust configuration, it has the following:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "SAM-Account-Name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";userPrincipalName,sAMAccountName,displayName;{0}", param = c.Value);

    For one of our other customers who uses ADFS 2.0 on their side, this same claim rule is as following and for them this is working fine:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/samaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";userPrincipalName,sAMAccountName,displayName;{0}", param = c.Value);

    So on the first one, the schema definition seems to be missing for the SAM-Account-Name claim. This is the only thing that is different between these two customer's ADFS configuration which I have noticed so I assume that this issue has something to do with this. But the problem is that I don't know how to change the SAM-Account-Name claim type (description) on the relying party trust configuration on the customer's side. As per the KB article above, it should be changed into SAML 1.1 compatible but I have not found information that how that is done. It seems that at least from ADFS management console UI, there is no way to do this but is there some powershell cmdlet for doing this?

    I would really appreciate if somebody could provide some hints how this is done.


    Thursday, November 24, 2016 6:01 AM