使用SAML oneLogin代码以iDP连接到ADFS时响应错误

Question

We are able to login to the ADFS iDP through the saml OneLogin java application. we have followed below steps to Edit the Claim rules of Relying Party(ADFS) to:

• enable return of email address in response.
• Right-click on the relying party trust and select Edit Claim Rules….
• On the Issuance Transform Rules tab select Add Rules….
• Select Send LDAP Attribute as Claims as the claim rule template to use.
• Give the claim a name such as NameID.
• Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
• Select Finish.
• Select Add Rule….
• Select Transform an Incoming Claim as the claim rule template to use.
• Give it a name such as Email to NameID. Incoming claim type should be E-mail Address and the Outgoing name ID format is Email.
• Check Pass through all claim values and click Finish.

But it gives below exception:

Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress SPNameQualifier: . Actual NameID properties: null.

Please advice how to resolve this error. Thanks for your help.

Answer 1

I have resolved this exception. It required to add email address in the properties of Active Directory Users and Computers on ADFS server. Also, the NameID format property should be set as "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" Thanks everyone for your support. Hopefully, this might help someone.