Unable to configure SAML Authentication through ADFS to an external IDP

Bharath Venkataramakrishnan 41 Reputation points
2021-03-03T09:35:55.41+00:00

I have integrated Azure login through ADFS and in ADFS I have a third-party claims provider configured which will do multi-factor authentication.
But after I logon to the ADFS through the claim provider, I configured I get the following error. Could someone help me here.

Request Id: ae31a9f4-d84a-4042-bdb6-f39506a8f200
Correlation Id: 49c2fd45-82d8-44fa-8d5d-b81711ce48d3
Timestamp: 2021-03-03T08:46:18Z
Message: AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,110 questions
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,576 Reputation points
    2021-04-07T14:13:33.72+00:00

    Hello @Bharath Venkataramakrishnan ,

    You are trying following article to configure Integration with Office 365/Azure AD.

    Scenario:

    85318-image.png

    Resolution:

    We were able to resolve the issue after adding below custom rule from claim provider trust you were created for federation with third party Identity provider.

    Custom Rule:

    c:[Type == "netbiosName"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    85382-image.png

    Above rule would transform "netbiosName" value as "windowsaccountname"

    To learn more about ADFS claim rule, read:
    https://learn.microsoft.com/en-us/archive/blogs/askds/ad-fs-2-0-claims-rule-language-primer

    Hope this helps.

    ----------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,576 Reputation points
    2021-03-04T15:38:50.97+00:00

    Hello @Bharath Venkataramakrishnan ,

    Thanks for reaching out.

    According to error message about “AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user”, it seems to be ADFS could not delivery ImmutableID in assertion (Token).

    To fix this issue, I would request you to verify if below mentioned claim present in Relying party trust, by opening ADFS Management in ADFS server --> ADFS --> Relying party trust --> Right click on "Microsoft Office 365 Identity Platform" --> Edit claim issuance policy -->

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

    Note: make sure ImmutableID claim rule doesn't existing twice, because even duplicate entry may cause issue.

    also, we would like to share one similar thread URL link, it may provide you some suitable
    information regarding this error message:
    https://social.technet.microsoft.com/Forums/en-US/95de802a-c304-465c-8907-def266767e1d/error-aadsts90020-the-saml-11-assertion-is-missing-immutableid-of-the-user?forum=winservergen


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Bharath Venkataramakrishnan 41 Reputation points
    2021-03-04T17:20:22.513+00:00

    74413-image.png

    Should I delete these rules.?


  3. Bharath Venkataramakrishnan 41 Reputation points
    2021-03-08T08:31:54.493+00:00

    I have deleted the rules 2 to 5 and configured the one you shared with me earlier. But no luck. The same error is displayed.

    Here are the current set of rules.

    75375-image.png