Troubleshooting SAML for ADFS

ScreenSteps ADFS Claim Rules

On initial setup, after logging in through ADFS, ScreenSteps was presenting this error:

The status code of the Response was not Success, was Requester

The decoded SAML response (visible using the Chrome SAML Message Decoder plugin) included:

 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode>

This was because the nameid format being passed across was unspecified.

To fix this do the following:

1. Create an LDAP claim mapping email address to email address claim type

2. Create a transform rule mapping incoming email to outgoing NameID.

Select the outgoing Name ID format as email.


Claim rule language:

c:[Type == ""]
 => issue(Type = "", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[""] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");


Add your comment

E-Mail me when someone replies to this comment