Thanks for your answer, @rbrayb .
I tried the SAML bearer assertion flow, but it seems that the endpoint /adfs/services/trust/2005/usernamemixed works only with Azure AD.
So I tried this endpoint /adfs/services/trust/13/UsernameMixed with this request :
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
<a:To s:mustUnderstand="1">https://adfs.test.local/adfs/services/trust/13/UsernameMixed</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >
<o:UsernameToken u:Id="uuid-6a13a244-dac6-42c1-84c5-cbb345b0c4c4-1">
<o:Username>**USERNAME**</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">**PASSWORD**</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>**https://mysite.identifier**</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
- With an USERNAME/PASSWORD from the Active Directory, It works and I get my SAML Response.
- But with the USERNAME/PASSWORD from my Local LDAP Directory, I have the following error : ID3242: The security token could not be authenticated or authorized.
When I check the ADFS logs :
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
USERNAME-The user name or password is incorrect
I tried with the DN of the account but same error, even if I have set only my Local LDAP Directory as unique claimsProvider for the application with this command :
Set-AdfsRelyingPartyTrust -TargetName "myClaimAPP" -ClaimsProviderName @("MY LDAP DIRECTORY")
With the classic SP-initiated flow it works well (I have only my LDAP Directory form).
I suppose that it must have a special parameter to had in the SOAP Request ou maybe a configuration in SAML to use the LDAP Local Claims Provider instead of the Active Directory but I can't find anything.
Do you have any idea, please?