This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 88%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ0%3C/text%3E%3C/svg%3E)
Hello,
I have questions regarding ADFS SAML configuration.
I have been charged with setting up ADFS SAML and connecting our system with clarity safetyzone.
I am using Using windows serv 2019 platform for the servers. I have created a test environment that has a domain controller, server with ADCS, and another server with ADFS. I have a certificate created within the ADCS server and I installed ADFS on the respective server. I verified after installation of the role and configuring an adfs administrator that the adfs administrator can sign into the https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx, I created a windows test account and logged into the adfs server for testing purposes and when navigating to the https://sts.contoso.com/adfs/ls/ and attempting to sign in with that user, I get an error:
An error occurred
An error occurred. Contact your administrator for more information.
Error details
Activity ID: f68cc99a-b6e5-40dc-1a00-0080000000e5Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.Node name: 85253664-435b-4d04-8775-d4b96854cb12Error time: Mon, 02 Nov 2020 20:11:16 GMTCookie: enabledUser agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
I have everyone permitted for intranet access in the Access Control Policies.
Am i missing something? Once i can verify that a standard user can login, then i can move on to the step of setting up the appropriate claims/trusts.
Does anyone have experience with this and maybe even experience with the Clarity Safety Zone platform?
This page cannot be called just as-is by typing the URL in the browser. You either need a query string telling you which WS-Federation enabled relying party trust you are trying to use, or a SamlRequest if you are trying to use a SAML enabled relying party trust.
If you want to do some testing, I suggest you create the test relying party trust as described here: https://adfshelp.microsoft.com/ClaimsXray/TokenRequest
Give it a try and let us know!
Ok, Understood.
I am running into problems with creating the claim exactly how the company needs.
They need the username of the account logged in passed out as the Name id in persistent format.
I do not see an easy way of doing this.
Can you provide me how to pass just the windows username out as the nameid?
Here is the rule:
Yea, they are not receiving it when i do it this way. Can you provide step by step to setup Windows Account Name in ADFS so i can make sure it is being done properly?
By the way, I appreciate the help so far.
It is there by default, nothing to do to have it. Maybe they want more than a NameID.
Try the rule in the test Claims XRay relying party trust. If you see it there, then you know you are good to go.
You can also provide a Fiddler trace and post it here. We can see what's in the token then.
For me it wasnt there by default.
What i did was go to, add a claim description and in the URL section: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
Then selected the two Publishign Check boxes. Afterwards, I went to the relying third party > Edit Claim Issuance Policy> created a transform incoming claim rule as you mentioned, selected windows account name from what i mentioned above and outgoing as NameID persistent identifier
Is that the correct way?
It does not have to exist in the Claim description section. What you have done is essentially publishing it in the federation metadata (which is optional).
The claim is populated automatically upon logon as long as your account comes from a trusted Active Directory environment.
Your step to set the rules are correct.
If you share a Fiddler trace we can help you confirm that. Or you can use the test Claims XRay relying party trust as suggested.
I ran both commands when installing the xray client
RedirectUri : {https://adfshelp.microsoft.com/ClaimsXray/Toke
nResponse}
Name : ClaimsXrayClient
Description :
ClientId : claimsxrayclient
BuiltIn : False
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
LogoutUri :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
When i type in my url and test i get the page attached
That's an error relative to the OAuth protocol. This one requires to to have your ADFS (trough a WAP) reachable from the Internet.
Pick the SAML one. And do the operation from a machine that can access both your ADFS server and the Internet (as the Claim XRay is hosted online).
I am setting up a VM that i will join to the same domain as the ADFS server. This will probably be setup by tomorrow morning for me to test and then provide the results
You can test it from a non domain joined machine too.
Or if your ADFS server has internet access you can test it directly from your ADFS server opening a web browser there.
![37331-101.png][1]
Does this mean it worked?
Yes but that's a WS-Federation.
Pick SAML:
Make sure you have added the rule we mentioned earlier. You can also remove the one that is there by default.
And you can copy/paste the XML Raw token you got here.
Do you mean add the windows account name with the outgoing claims as the nameid?
Yes. That will confirm that the rule works as expected and that the issue is located at the app level and you can focus the troubleshooting there.
They are correct. Its not sending out the claim properly
Show me the rule. This is a mistake in the rule, 100% sure.
Heres what i got
I checked multiple times. The one with the spaces is not there. UPN is there. Not sure if that is the same thing
Strange. Never seen this.
Can you screenshot the menu:
I scrolled through the whole list and screenshot everything. tried to leave out ones already seen to make it easy
Very strange.
Anyhow, you can use a custom rule instead and use this syntax:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
Only option was to push ok and that was it. What do i do after?
You try again with Claims X Ray with the SAML 2.0 option. And share ideally share the XML output (in the raw token section, else we won't see the NameID format, it's only in the token, not in the top section).
It looks like it worked...the xml shows at the very bottom of it:
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">USEROMITTEDFORSECURITY</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2020-11-04T03:24:48.837Z" Recipient="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" />
</SubjectConfirmation>
</Subject>
Here you go. Set the same rule on your app now.
And if that doesn't work for the app, it means they need something else.
Is there a way to feed that claims rule into a transform rule? Not sure i would need to but just asking
What would you like to transform it to?
Everything is possible really. And I have no idea why your default Windows Account Name isn't in the list.
Not sure. It looks like its being passed as a nameid in that message i sent you. Guess i was just curious. Any idea why adding a new claim description and then using it wasnt working?
Unclear. Did you install this ADFS farm or did you inherit it from a different team? I have never seen this (on any version of ADFS).
I installed this farm. That claim was pointing to the right schema...so im surprised it was not working
Hey thank you very much for the help yesterday. They came back to me saying there are no longer any errors however, they wondered if there was a way to pass just the username and not the domain\user. Can this be done?
Yep. Many ways to do it. But the easiest way in our context (with having issues with the default rules) would be to adapt our custom rules such as:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
Make sure you mark the post as answered in case someone experience the same challenges that they can easily find a solution.
Nvm i ended up getting it working. Can you assist with one more thing?
I am attempting to setup windows interactive authentication and i followed all the articles below. When i go to the website that is setup in adfs with the claims, i am redirected to my adfs site and prompts for a username and password regardless of the settings i configured in the following articles. Any hints you can provide?
Below are the articles I followed:
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_enabling_iwa_adfs30.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_preparing_ie_for_adfs.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
https://support.classlink.com/hc/en-us/articles/360010601593-ADFS-Windows-Integrated-Authentication-WIA-
Attached are some screenshots
It would make more sense to close this thread and open an another one as somebody else might benefit from this too and will have a hard time to find it with a title such as SAML Configuration.
I suggest you post it in the new thread. Mark this one as answered and also add the version of the browser that you are using.