0 Replies Latest reply on Nov 19, 2011 12:33 PM by magsy

    PicketLink2.0.1 / ADFS / Encrypted NameID

    magsy
    magsy Nov 19, 2011 12:33 PM

      Hello,

       

      I'm trying to build a SP to integrate with ADFS2.0. I've read many posts on how to configure ADFS and have not quite got to a solution. After creating the Relaying Party in ADFS, the following error appears in the event log when PicketLink tries to act as an SP:

       

      MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: , NameQualifier:  SPNameQualifier: , SPProvidedId: .

       

      There was a useful thread with translation rules for ADFS that led to it creating an assertion. This post is useful:

       

      http://social.msdn.microsoft.com/Forums/ar/Geneva/thread/ea5efcff-4221-4af1-b434-4be5245cb0fa

       

      However, the result is a name ID that's encrypted:

       

      <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">q2a1NbfZJPijziQXJVFV69KS5/wtMmIcr1meeWes8LY=</NameID>

       

      I have two questions and would be grateful for any assistance:

       

      1. How do I decrypt the username? I've tried using the certificate's I can find in ADFS, but perhaps there's another?

       

      2. How can I modify the custom rules in ADFS to output an email address, Windows username, X509, etc. I've tried modifying the transform rule but any change results in no assertions in the SAML response.

       

      For your reference, here is the SAML request:

       

      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://target/test.jsp" Destination="https://server2008r2.domain2008r2.local/adfs/ls/" ID="ID_4434a24e-6033-9a8f-b0c9-6efb1c645f62" IssueInstant="2011-11-14T21:59:58.887Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">myissuer</saml:Issuer><samlp:NameIDPolicy AllowCreate="true"  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>

       

      The format seems relevant, but are there any errors in this request?

       

      I look forward to any assistance.

       


      John