Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ADFS 2.0 simpleSAML issue: More than one claim based on SamlNameIdentifierClaimResource was produced

Tags:

saml

saml-2.0

adfs

I am trying to setup an ADFS 2.0 IDP - simplesaml saml sp configuration, and i am blocked, the errors reported by ADFS are nowere to be found even in the official adfs documentation. I have sucessfully set up the relaying party, from the sp app i get redirected to the idp, i can authentify, but upon redirection to the sp i get this:

The Federation Service could not fulfill the token-issuance request.
More than  one claim based on SamlNameIdentifierClaimResource was produced after the
issuance  transform rules were applies for relying party 'url here'. Please see event  
500 with the same instance id for claims after application of issuance transform rules. 

Additional Data 
Instance id: 44ef5c64-7bcb-4766-9016-75034b4fd7eb 

User Action 
Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.

Also, a warning:

More information for the event entry with instance id 44ef5c64-7bcb4766-9016-75034b4fd7eb. 
There may be more events with the same instance id with more information. 

Instance id:  
44ef5c64-7bcb-4766-9016-75034b4fd7eb 


Issued identity: 
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 
user name i used
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 
user name i used
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 
CKTECHNO\user name i used
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod 
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows 
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 
2013-07-08T14:30:46.465Z

Here is my conf:

adfs claims

active directory claim

name id claim

I searched everywere, there is no mention of this type of error. Even the 500 event i don't seem to find in the ms docs. Any help is greatly appreciated. Thanks!

like image 654
aciobanu Avatar asked Jul 09 '13 08:07

aciobanu

2 Answers

Thanks @nzpcmad, the problem was indeed the fact that the account name is added by default, as are also the groups, and i was creating it twice. It's really a shame that this is not clearly specified, as you can't really tell that this is the case. Problem solved.

like image 106
aciobanu Avatar answered Oct 05 '22 16:10

aciobanu

First of all, +1 for well-documented question.

I suspect the problem is because the windows account name is one of the in-built claims. What happens if you remove the mapping for sAMAccountName? (i.e. just have the transform).

Also, it is more usual to use the email name. That's the one I always use.

like image 29
rbrayb Avatar answered Oct 05 '22 16:10

rbrayb
Sign in to Comment

Related questions

Using SimpleSAML as SP and IDP for development environnement
Is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress a valid NameID format?
SAML 2.0 Multiple md:NameIDFormat tag in service provider metadata
SSO - SAML, Redirect a user to a specified landing page after successful log in
Creating custom SAML token
Nokogiri::XML::Schema SyntaxError on schema load
G Suite SSO error app_not_configured_for_user
AWS Cognito - create groups from ADFS as Cognito Groups
How appropriate it is to use SAML_login with AEM with more than 1m users?
Using Spring SAML as an IDP rather than an SP
Python - Logging in to Site with SAML 2.0
What is the point of OpenSAML? Any alternative?
Does ADFS 2.0 supports the SAML 1.1 protocol and Web SSO profiles?
Is there a standard format of SAML 2.0 encrypted assertion

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!