I had tried to configure single sign-on for a third party web page with MS ADFS 3.0, but single sign-on didn’t work. The event log on ADFS server showed events with Event ID 321:
The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: https://url of requesting resource Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: Exception details: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: . This request failed. User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
The fix for this error is to change the format of the outgoing claim, to the requested format.
I had already configured a claim rule for issuing a custom AD attribute as Name ID, but had to change it to issue the claim as E-Mail Address instead of Name ID.
I then had to add a transform rule in the AD FS Management Console, for transforming the claim from E-Mail Address to the requested nameid-format:emailAddress like this:
- Right click your Relying Party Trust.
- Choose “Edit Claim Rules…”.
- Add a new rule using “Add Rule…”.
- Select template “Transform an Incoming Claim”.
- Give the rule a descriptive name.
- Select the Incoming claim type (in my case E-Mail Address).
- Select the Outgoing claim type (in my case Name ID).
- Select the Outgoing name ID format (in my case Email).
- Click OK
After these changes single sign-on to the third party web page worked like a charm!