Troubleshooting SAML for ADFS
ScreenSteps ADFS Claim Rules
On initial setup, after logging in through ADFS, ScreenSteps was presenting this error:
The status code of the Response was not Success, was Requester
The decoded SAML response (visible using the Chrome SAML Message Decoder plugin) included:
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode> </samlp:Status>
This was because the
nameid format being passed across was unspecified.
To fix this do the following:
1. Create an LDAP claim mapping email address to email address claim type
2. Create a transform rule mapping incoming email to outgoing NameID.
Select the outgoing Name ID format as email.
Claim rule language:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");