question

BharathVenkataramakrishnan-5788 avatar image
0 Votes"
BharathVenkataramakrishnan-5788 asked BharathVenkataramakrishnan-5788 action

Unable to configure SAML Authentication through ADFS to an external IDP

I have integrated Azure login through ADFS and in ADFS I have a third-party claims provider configured which will do multi-factor authentication.
But after I logon to the ADFS through the claim provider, I configured I get the following error. Could someone help me here.

Request Id: ae31a9f4-d84a-4042-bdb6-f39506a8f200
Correlation Id: 49c2fd45-82d8-44fa-8d5d-b81711ce48d3
Timestamp: 2021-03-03T08:46:18Z
Message: AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user.

I see for all the users. There is no problem with the same relying party when I use AD to sign-in from ADFS. The issue is present only when the third-party IDP (claim provider) is selected to logon.

There are no issues from the IDP side actually. It authenticates the user and ADFS approves the same and getting redirected to the Azure portal as expected. But azure denies it with the error reported above82662-azure-adfs-relying-party-rules-exported.pdf. Kindly help me here.


azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered sikumars edited

Hello @BharathVenkataramakrishnan-5788,

You are trying following article to configure Integration with Office 365/Azure AD.

Scenario:

85318-image.png

Resolution:

We were able to resolve the issue after adding below custom rule from claim provider trust you were created for federation with third party Identity provider.

Custom Rule:

c:[Type == "netbiosName"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

85382-image.png

Above rule would transform "netbiosName" value as "windowsaccountname"

To learn more about ADFS claim rule, read:
https://docs.microsoft.com/en-us/archive/blogs/askds/ad-fs-2-0-claims-rule-language-primer

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered

Thanks for reaching out.

This is being tracked from another similar thread https://docs.microsoft.com/en-us/answers/questions/296674/index.html.

Regards,
Siva Kumar Selvaraj

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.