I had tried to configure single sign-on for a third party web page with MS ADFS 3.0, but single sign-on didn’t work. The event log on ADFS server showed events with Event ID 321:
The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: https://url of requesting resource Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: Exception details: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: . This request failed. User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
The fix for this error is to change the format of the outgoing claim, to the requested format.
I had already configured a claim rule for issuing a custom AD attribute as Name ID, but had to change it to issue the claim as E-Mail Address instead of Name ID.
I then had to add a transform rule in the AD FS Management Console, for transforming the claim from E-Mail Address to the requested nameid-format:emailAddress like this:
- Right click your Relying Party Trust.
- Choose “Edit Claim Rules…”.
- Add a new rule using “Add Rule…”.
- Select template “Transform an Incoming Claim”.
- Give the rule a descriptive name.
- Select the Incoming claim type (in my case E-Mail Address).
- Select the Outgoing claim type (in my case Name ID).
- Select the Outgoing name ID format (in my case Email).
- Click OK
After these changes single sign-on to the third party web page worked like a charm!
2 Replies to “ADFS 3.0 Relying Party Trust – Send custom attribute as claim”
I have created the two rules that you mentioned. the users can login to the application but Ad FS server keeps on generating event ID 321 with the same error message that you mentioned.
Any suggestions ?
Can you supply the full error message here? Anonymize it, of course. Specifically the exception details would be interesting to see. It’s really an event notifying you of some discrepancies between what format is requested and what format is provided.