ScreenSteps

Troubleshooting SAML for ADFS

Updated

ScreenSteps ADFS Claim Rules

On initial setup, after logging in through ADFS, ScreenSteps was presenting this error:

The status code of the Response was not Success, was Requester

The decoded SAML response (visible using the Chrome SAML Message Decoder plugin) included:

<samlp:Status>
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode>
</samlp:Status>

This was because the nameid format being passed across was unspecified.

To fix this do the following:

1. Create an LDAP claim mapping email address to email address claim type

2. Create a transform rule mapping incoming email to outgoing NameID.

Select the outgoing Name ID format as email.

 

Claim rule language:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Previous Article SAML Troubleshooting Checklist
Next Article How to edit Single Sign-on settings or find your SAML Consumer and Test URLs
Still Need Help? Contact Us