ADFS SSO – LDAP Attributes as Claims – UPN as NameID – NameID Missing from SAML Response for users whose UPN is changed

adfssingle-sign-on

ADFS SSO setup with Salesforce which uses UPN as NameID, has following configuration ADFS.

Claim Rule Template: Send LDAP Attributes as Claims
Claim Rule Name: Send the UPN as NameID 
LDAP Attribute: User Principal Name
Outgoing Claim Type: Name ID

Everything works for all users. However when UPN of a user is changed, SAML response from ADFS doesn't contain NameID tag in Subject tag. What might be the reason of the strange behavior?

Best Answer

Reading this blog (http://www.jonathanhardison.com/index.php/2012/07/05/adfs-2-0-claims-incomplete-or-wrong-on-username-change/), we restarted the server & issue got resolved.

Looks like ADFS caches the data, restarting ADFS cleared cache.

Related Solutions

Send NameID claim without encryption in ADFS 2.0

We had a customer with an issue connecting to our web application. We wanted to disable encryption to help debug what we were receiving. These are the steps they used to disable encryption on their ADFS 2.0 server:

Click Start
Click Administrative Tools
Click Windows PowerShell Modules

Then, at the Windows PowerShell command prompt, type the following:

set-ADFSRelyingPartyTrust –TargetName “target” –EncryptClaims $False

ADFS – Combining Claims from Provider Trusts and AD

Yes, that should work. If you control the claim rules on the hosted ADFS and if you have some key from the Corp ADFS in a claim, then you can do the regular AD search claim rule with that key.

Best Answer

Related Solutions

Send NameID claim without encryption in ADFS 2.0

ADFS – Combining Claims from Provider Trusts and AD

Related Topic