I've configured an app on the adfs relying party trusts, so I can login using adfs/sso. After that i'va installed simplesamlphp to deal with that login, and process the response saml.
this is my authsources config:
'myauth' => array(
'saml:SP',
'idp' => 'http://domain/adfs/services/trust',
'privatekey' => 'saml.key',
'certificate' => 'saml.crt',
),
but after the login, on the return post i get the following error:
Exception during login: sspmod_saml_Error: Requester/InvalidNameIDPolicy Backtrace: 3 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:376 (sspmod_saml_Message::getResponseError) 2 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:503 (sspmod_saml_Message::processResponse) 1 /home/......../adfs/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (require) 0 /home/......../adfs/simplesamlphp/www/module.php:135 (N/A)
Am i missing something? How can i get that name id policy? Where to define it?
Thanks
simplesamlphp normally uses UPN or email as the NameID. You need to check in the config.
So in ADFS, create two claims rules:
One to create the claim (either UPN or email) - the normal LDAP one.
And a Transform that takes the above and transforms to a NameId claim with a type of "transient".
Again, simplesamlphp may not be using transient - you need to check in the config.
Update:
Assume UPN:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
来源:https://stackoverflow.com/questions/19816803/adfs-2-0-invalidnameidpolicy