SAML SSO logginf with ADFS - InvalidNameIDPolicy

PawelP
Comes here often

SAML SSO logginf with ADFS - InvalidNameIDPolicy

Hi

We are trying enabling saml sso logging with our ADFS server


We follow meraki documentation and still have some issues

 

1. When using IDP ( login via our portal) it is working fine
2. When using SP approach - logging via Meraki dashboard 

We receive such error in meraki logs


Assertion validation error: The status code of the Response was not Success, was Requester => InvalidNameIDPolicy

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
</samlp:StatusCode>
</samlp:Status>


Maybe someone have working solution and can provide detailed configuration on ADFS site
I am sure that issue is somewhere in ADFS configuration but couldnt find where exactly

 

Regards
Pawel

 

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

By default, ADFS sends the NameId format as "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified". You can adjust it. See: https://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PawelP
Comes here often

HI

Thanks for replay

Our admin already found this but so far no luck with setup it correctly

Still searching

PhilipDAth
Kind of a big deal
Kind of a big deal

For the love of the networking gods - do you have to use ADFS?  Could you use SAML against AzureAD, Duo, or any other SAML provider?  🙂

 

ADFS is a dying product, and the less you configure to use it, the less you'll have to migrate later.

PawelP
Comes here often

HI

We have tens of portals configured using ADFS and no problem so far

Anyway if Meraki still support it so I think it will not die soon, no oficial announcment found on Microsoft about it

So far it is our standard currently. Question to our admin what they plan for future

 

Regards

Fady
Meraki Employee
Meraki Employee

You need to create a transform rule with the below parameters.

 

Fady_0-1687841257334.png

 

Get notified when there are additional replies to this discussion.