ADFS 2.0 InvalidNameIDPolicy

问题

I've configured an app on the adfs relying party trusts, so I can login using adfs/sso. After that i'va installed simplesamlphp to deal with that login, and process the response saml.

this is my authsources config:

'myauth' => array( 
    'saml:SP', 
    'idp' => 'http://domain/adfs/services/trust', 
    'privatekey' => 'saml.key', 
    'certificate' => 'saml.crt', 
), 

but after the login, on the return post i get the following error:

Exception during login: sspmod_saml_Error: Requester/InvalidNameIDPolicy Backtrace: 3 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:376 (sspmod_saml_Message::getResponseError) 2 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:503 (sspmod_saml_Message::processResponse) 1 /home/......../adfs/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require) 0 /home/......../adfs/simplesamlphp/www/module.php:135 (N/A)

Am i missing something? How can i get that name id policy? Where to define it?

Thanks

回答1:

simplesamlphp normally uses UPN or email as the NameID. You need to check in the config.

So in ADFS, create two claims rules:

One to create the claim (either UPN or email) - the normal LDAP one.

And a Transform that takes the above and transforms to a NameId claim with a type of "transient".

Again, simplesamlphp may not be using transient - you need to check in the config.

Update:

Assume UPN:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

来源：https://stackoverflow.com/questions/19816803/adfs-2-0-invalidnameidpolicy