Here is the way authentication is set up. - Client Browser sends the request (URL below) to client's ADFS server, - Client ADFS then look at the nested relay state and forward the request to our ADFS server. - Our ADFS look at the request and send the request to our APP.
URL is here.
https://clientadfs.clientdomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%3A%2F%2ouradfs.ourdomain.com%2Fadfs%2Fls%2F%26RelayState%3DRPID%3Dhttps%3A%2F%2ourapp.ourdomain.com%2Fvaruna%2Fconsole%2Fsso.aspx%3FsamISso%26lang%3Den_CA
The request produces a blank page with no error on the ADFS server.
I got the fiddler trace the client. Client uses users' email address to identify the users. I can see in the SAML token sent to Client's ADFS has this email address. This SAML token goes to our ADFS server and I see the SAML response that come out of our ADFS server. This however does not have the user email address. I think that is the problem.
On our ADFS server, I have this Client's claim (on Claims Provider Trust) to handle user ID (which is their email):
Claim Rule name: Email Incoming Claim type: Name ID Incoming Name ID format: Email Outgoing Name ID format: Email Pass through all claim values.
Here is the claim in Claim Rule Language
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
=> issue(Type = "Email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
On client's ADFS config, this is their email/Userid configuration:
IssuanceTransformRules : @RuleTemplate = "LdapClaims"
@RuleName = "Pass email"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccou
ntname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/20
05/05/identity/claims/nameidentifier"), query = ";mail;{0}", param = c.Value);
I have no idea what I am doing wrong. Can anyone spot my issue? or can you suggest where I should look at?
Thanks for your help!
- RM