ScreenSteps

Troubleshooting SAML for ADFS

Updated on

ScreenSteps ADFS Claim Rules

On initial setup, after logging in through ADFS, ScreenSteps was presenting this error:

The status code of the Response was not Success, was Requester
Click to copy

The decoded SAML response (visible using the Chrome SAML Message Decoder plugin) included:

<samlp:Status>
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode>
</samlp:Status>
Click to copy

This was because the nameid format being passed across was unspecified.

To fix this do the following:

1. Create an LDAP claim mapping email address to email address claim type

2. Create a transform rule mapping incoming email to outgoing NameID.

Select the outgoing Name ID format as email.

 

Claim rule language:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Click to copy

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Previous Article SAML Troubleshooting Checklist
Next Article How to Edit Single Sign-on Settings or Find your Consumer URL and Test URL

Single Sign-on and SCIM

Single Sign-on 7
Using SAML 5
Single Sign-on FAQs 9
Salesforce 6
Using ScreenSteps Remote Authentication with Atlassian Crowd 6

Other Resources

Recently Updated Articles

More Recently Updated Articles
Still Need Help? Contact Us