Microsoft

ADFS 3.0 Relying Party Trust - Send custom attribute as claim

I had tried to configure single sign-on for a third party web page with MS ADFS 3.0, but single sign-on didn’t work. The event log on ADFS server showed events with Event ID 321:

The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: https://url of requesting resource Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier:
Exception details: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .

This request failed.

User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.

The fix for this error is to change the format of the outgoing claim, to the requested format.

I had already configured a claim rule for issuing a custom AD attribute as Name ID, but had to change it to issue the claim as E-Mail Address instead of Name ID.

I then had to add a transform rule in the AD FS Management Console, for transforming the claim from E-Mail Address to the requested nameid-format:emailAddress like this:

  • Right click your Relying Party Trust.
  • Choose “Edit Claim Rules…”.
  • Add a new rule using “Add Rule…”.
  • Select template “Transform an Incoming Claim”.
  • Give the rule a descriptive name.
  • Select the Incoming claim type (in my case E-Mail Address).
  • Select the Outgoing claim type (in my case Name ID).
  • Select the Outgoing name ID format (in my case Email).
  • Click OK

After these changes single sign-on to the third party web page worked like a charm!