Troubleshooting SAML for ADFS

ScreenSteps ADFS Claim Rules

On initial setup, after logging in through ADFS, ScreenSteps was presenting this error:

The status code of the Response was not Success, was Requester

The decoded SAML response (visible using the Chrome SAML Message Decoder plugin) included:

<samlp:Status>
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode>
</samlp:Status>

This was because the nameid format being passed across was unspecified.

To fix this do the following:

1. Create an LDAP claim mapping email address to email address claim type

2. Create a transform rule mapping incoming email to outgoing NameID.

Select the outgoing Name ID format as email.

 

Claim rule language:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

0 Comments

Add your comment

E-Mail me when someone replies to this comment