Forum Discussion
NimbostratusSAML with ADFS getting attribute not present
When setting up SAML between the APM as the SP and ADFS as IdP, we are getting the following error:
SAML Agent: /Common/policy.connect.customer.com_act_saml_auth_ag SAML assertion is invalid, error: AuthenticationStatement must have AuthnInstant attribute
This appears to be a problem with ADFS, but I am not familiar enough with it to make suggestions to the MS engineer.
Any help would be appreciated.
10 Replies
Christian_Baco1Hi David, Currently, i think you have to add SAML Attribute to you Active Directory Schema.- boneyard
MVP
did this solve your issue David? im running into the same error but in very different environment. - Kevin_Stewart
Employee
Can either of you describe your environments? I've tried exhaustively to replicate this error message. - MXV_164448Hi All, Did anyone got a solution for this error?
- MXV_164448I got some result changing the default claims to email instead of UPN
jban_198207Cirrus
Anyone solve this. I have same issue? SAML Agent: /Common/xyz_act_saml_auth_ag SAML assertion is invalid, error: AuthenticationStatement must have AuthnInstant attribute
- jban_198207
Hi,
For AuthnInstant attribute I solve it on ADFS side.
Exception details: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: ...
So, I add claim rule on ADFS that solve this issue
Rule 1 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
Rule 2 c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "Your_SPNameQualifier_Qualifier_Issue");
- jban_198207
Hi,
For AuthnInstant attribute I solve it on ADFS side.
Exception details: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: ...
So, I add claim rule on ADFS that solve this issue
Rule 1 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
Rule 2 c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "Your_SPNameQualifier_Qualifier_Issue");
Evan_Champion_1I had this issue with ADFS 3.0. I fixed by setting on the external IDP connector:
Security Settings: Authentication Request sent by this device to IdP Must be signed: SHA256
With this I was able to do SAML authentication with the following simple ADFS claim mapping:
SAM-Account-Name -> Name ID
- Evan_Champion_1
I had this issue with ADFS 3.0. I fixed by setting on the external IDP connector:
Security Settings: Authentication Request sent by this device to IdP Must be signed: SHA256
With this I was able to do SAML authentication with the following simple ADFS claim mapping:
SAM-Account-Name -> Name ID
