I had tried to configure single sign-on for a third party web page with MS ADFS 3.0, but single sign-on didn’t work. The event log on ADFS server showed events with Event ID 321:
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://url of requesting resource
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token.
Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: .
Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
This request failed.
User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
The fix for this error is to change the format of the outgoing claim, to the requested format.
I had already configured a claim rule for issuing a custom AD attribute as Name ID, but had to change it to issue the claim as E-Mail Address instead of Name ID.
I then had to add a transform rule in the AD FS Management Console, for transforming the claim from E-Mail Address to the requested nameid-format:emailAddress like this:
After these changes single sign-on to the third party web page worked like a charm!