question

BharathVenkataramakrishnan-5788 avatar image
0 Votes"
BharathVenkataramakrishnan-5788 asked BharathVenkataramakrishnan-5788 action

Unable to configure SAML Authentication through ADFS to an external IDP

I have integrated Azure login through ADFS and in ADFS I have a third-party claims provider configured which will do multi-factor authentication.
But after I logon to the ADFS through the claim provider, I configured I get the following error. Could someone help me here.

Request Id: ae31a9f4-d84a-4042-bdb6-f39506a8f200
Correlation Id: 49c2fd45-82d8-44fa-8d5d-b81711ce48d3
Timestamp: 2021-03-03T08:46:18Z
Message: AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user.

azure-ad-saml-sso
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

82173-azure-adfs-relying-party-rules-exported.pdf



PFA exported rules.

I see for all the users. There is no problem with the same relying party when I use AD to sign-in from ADFS. The issue is present only when the third-party IDP (claim provider) is selected to logon.

There are no issues from the IDP side actually. It authenticates the user and ADFS approves the same and getting redirected to the Azure portal as expected. But azure denies it with the error reported in this thread. Kindly help me here.

Thanks,

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Hello @BharathVenkataramakrishnan-5788,

You are trying following article to configure Integration with Office 365/Azure AD.

Scenario:

85318-image.png

Resolution:

We were able to resolve the issue after adding below custom rule from claim provider trust you were created for federation with third party Identity provider.

Custom Rule:

c:[Type == "netbiosName"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

85382-image.png

Above rule would transform "netbiosName" value as "windowsaccountname"

To learn more about ADFS claim rule, read:
https://docs.microsoft.com/en-us/archive/blogs/askds/ad-fs-2-0-claims-rule-language-primer

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (38.6 KiB)
image.png (199.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered

Hello @BharathVenkataramakrishnan-5788,

Thanks for reaching out.

According to error message about “AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user”, it seems to be ADFS could not delivery ImmutableID in assertion (Token).

To fix this issue, I would request you to verify if below mentioned claim present in Relying party trust, by opening ADFS Management in ADFS server --> ADFS --> Relying party trust --> Right click on "Microsoft Office 365 Identity Platform" --> Edit claim issuance policy -->

`c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

Note: make sure ImmutableID claim rule doesn't existing twice, because even duplicate entry may cause issue.

also, we would like to share one similar thread URL link, it may provide you some suitable
information regarding this error message:
https://social.technet.microsoft.com/Forums/en-US/95de802a-c304-465c-8907-def266767e1d/error-aadsts90020-the-saml-11-assertion-is-missing-immutableid-of-the-user?forum=winservergen

-------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BharathVenkataramakrishnan-5788 avatar image
0 Votes"
BharathVenkataramakrishnan-5788 answered sikumars commented

74413-image.png



Should I delete these rules.?


image.png (5.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

These rules require when you are using "SOURCE ANCHOR" as "mS-DS-ConsistencyGuid" as shown below? if not then you can delete above rules ( from #2 to #5) and just add previously suggested ImmutableID rule which should work.

Could you please confirm, this issue is specific with setup of users or with all ? also if possible could you please export manually all of existing ADFS issuance transform rule and share with me so that I can verify it? Thanks.

74868-image.png


0 Votes 0 ·
image.png (72.8 KiB)
BharathVenkataramakrishnan-5788 avatar image
0 Votes"
BharathVenkataramakrishnan-5788 answered BharathVenkataramakrishnan-5788 commented

I have deleted the rules 2 to 5 and configured the one you shared with me earlier. But no luck. The same error is displayed.

Here are the current set of rules.

75375-image.png



image.png (136.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Could you please confirm, this issue is specific with setup of users or with all ? also if possible could you please export all existing ADFS issuance transform rule manually and share with me so that I can verify it? Thanks.

0 Votes 0 ·

Hi Team, Any update on this issue.? Any help here would be great.

0 Votes 0 ·