My Service Provider issues a SAML 2.0 AuthRequest with a NameIDPolicy tag like so:
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
This causes ADFS 2.0 to correctly issue a SAML Response containing an encrypted NameID token created by a rule similar to the one found here
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
MyeHAMeGLojBt7fcc2DQtntXXFka0kybkR42ZTitTUs=</NameID>
So far so good, however, my Service Provider doesn't seem to understand the encrypted NameID claim and is expecting it to be unencrypted while at the same time having the name-format as transient
As per this document, ADFS2.0 treats request for transient or persistent NameID formats as privacy scenarios (and hence the encryption)
So my question then would be:
Is there any way to have ADFS 2.0 generate the NameID claim with Format=transient and an unencrypted NameID like so:
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">Joe</NameID>
Best Answer
We had a customer with an issue connecting to our web application. We wanted to disable encryption to help debug what we were receiving. These are the steps they used to disable encryption on their ADFS 2.0 server:
Then, at the Windows PowerShell command prompt, type the following: