This issue may occur when the ADFS configuration is not valid.
The following lines show an example of the "Subject"
part of a SAML reply to an invalid ADFS configuration, where "NameID"
is missing:
<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_yhvqjtty3lt3blmkysfq83joeruv4oxou50krmv"
NotOnOrAfter="2018-04-12T08:05:51.088Z"
Recipient="https://myportal.fluidtopics.net/api/authentication/sso/saml-mycompany/callback?client_name=saml-mycompany" />
</SubjectConfirmation>
</Subject>
A valid ADFS configuration would result in the following reply where "nameID"
is present, without raising any error.
<Subject>
<NameID>jdoe@mycompany.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_yhvqjtty3lt3blmkysfq83joeruv4oxou50krmv"
NotOnOrAfter="2018-04-12T08:05:51.088Z"
Recipient="https://myportal.fluidtopics.net/api/authentication/sso/saml-mycompany/callback?client_name=saml-mycompany" />
</SubjectConfirmation>
</Subject>
To correct this incomplete ADFS configuration, it is necessary to configure the SAML response of ADFS by adding at least a NameID
for SAML exchange:
-
Edit the Claim rules of the trust relationship.
-
Add an issuance rule using LDAP.
-
Select User-Principal-Name as the incoming claim and name ID as the output claim.