ADFS - AAD integration - No AzureAD Connect - SAML ImmutableID error

Domenico Bochicchio 16 Reputation points

Hello everyone,

I'm working on enabling login to an adfs-federated Enterprise Web App through AAD SAML. I haven't found any good documentation on the matter (or blogpost) which describes my specific usecase so I'm mostly doing trial and error. I know there are a few microsoft doc pages about federating enterprise apps and adfs but in my case I need to strictly avoid using Azure AD connect so I'm stuck without any reliable documentation (that I've found this far)

Background info on the situation and overview

The SAML cycle should be SP initiated (starts on the ADFS authentication page) by choosing the AAD-based login on page and then bring back to the application page.

The IdP should be Azure Active Directory (where the users should be stored, also AAD should pass the claims to ADFS) and that's pretty much the bulk of the relevant information.

Now, a few weeks ago I had it all set up (enteprise app created in my Azure tenant, federation metadata document imported in the relying party trust I created in adfs corresponding to the web app, thumbprint added in the web config for the IIS web application, endpoints configured in the Relying Party's properties, all of the relevant properties set in Azure in terms of application ID and assertion consumer service URL) and everything except the claim passthrough was configured and working properly.

I logged in through the ADFS page, chose the Enterprise Application amongst the "Tiles", got redirected to the login.microsoftonline page, logged with the user, got redirected again to the application page where I got an applicative error due to no claims (of course, since I hadn't configured this part yet). All good.

The problem at hand:

Recently, I picked the matter up again and I noticed that in Azure I have a new claim configured (unless I'm hallucinating and it's always been there?)
I'm having a hard time uploading an image so

https : //

this is what I'm talking about. I haven't changed this part, and now when I login I'm getting this error

https : //

on the /wsfed endpoint of the login.microsoftonline/appid page that the authentication process takes me to (after inserting my credentials).

Does anyone know how to handle this? If any additional information is required to make the scenario clearer, let me know please. I have already tried the Azure embedded troubleshooting tool that is supposed to take in the error code and give you assistance in solving the problem, but it doesn't recognize this one. Also advanced troubleshooting disables itself every time I enable it and refresh (extensionless updated Chrome)

Thanks a lot in advance

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,903 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,038 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,556 Reputation points

    @Domenico Bochicchio If I understood your scenario correctly, you have an application with SP initiated sign-in flow that redirects to ADFS and after successful authentication ADFS then redirects to Azure AD with a SAML token. Azure AD is now supposed to receive SAML token and issue ID & Access token. That is where you encounter error AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user. If that is the case, you need to have below issuance transformation claim rule on your ADFS Server for Office 365 relying party:

    c:[Type == ""]
    => issue(Type = "", Value = c.Value, Properties[""] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

    The above claim rule should take care of AADSTS90020 error but as far as I know, Azure AD would still require user to be synced to it to complete the authentication and authorization.


    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.