Subject NameID, BaseID and EncryptedID cannot be all null at the same time if there are no Subject Confirmations - Fluid Topics - 3.11

Fluid Topics Configuration and Administration Guide

Category
Reference Guides
Audience
public
Version
3.11

This issue may occur when the ADFS configuration is not valid.

The following lines show an example of the "Subject" part of a SAML reply to an invalid ADFS configuration, where "NameID" is missing:

<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_yhvqjtty3lt3blmkysfq83joeruv4oxou50krmv"
NotOnOrAfter="2018-04-12T08:05:51.088Z"
Recipient="https://myportal.fluidtopics.net/api/authentication/sso/saml-mycompany/callback?client_name=saml-mycompany" />
</SubjectConfirmation>
</Subject>

A valid ADFS configuration would result in the following reply where "nameID" is present, without raising any error.

<Subject>
<NameID>jdoe@mycompany.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_yhvqjtty3lt3blmkysfq83joeruv4oxou50krmv"
NotOnOrAfter="2018-04-12T08:05:51.088Z"
Recipient="https://myportal.fluidtopics.net/api/authentication/sso/saml-mycompany/callback?client_name=saml-mycompany" />
</SubjectConfirmation>
</Subject>

To correct this incomplete ADFS configuration, it is necessary to configure the SAML response of ADFS by adding at least a NameID for SAML exchange:

  1. Edit the Claim rules of the trust relationship.
  2. Add an issuance rule using LDAP.
  3. Select User-Principal-Name as the incoming claim and name ID as the output claim.