Ping a Specific Port

Question

Ryan Fernandes

Asked: 2011-09-21 16:56:49 +0800 CST2011-09-21 16:56:49 +0800 CST 2011-09-21 16:56:49 +0800 CST

send NameID claim without encryption in ADFS 2.0

772

My Service Provider issues a SAML 2.0 AuthRequest with a NameIDPolicy tag like so:

<samlp:NameIDPolicy AllowCreate="true" 
       Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

This causes ADFS 2.0 to correctly issue a SAML Response containing an encrypted NameID token created by a rule similar to the one found here

<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">    
        MyeHAMeGLojBt7fcc2DQtntXXFka0kybkR42ZTitTUs=</NameID>

So far so good, however, my Service Provider doesn't seem to understand the encrypted NameID claim and is expecting it to be unencrypted while at the same time having the name-format as transient

As per this document, ADFS2.0 treats request for transient or persistent NameID formats as privacy scenarios (and hence the encryption)

So my question then would be: Is there any way to have ADFS 2.0 generate the NameID claim with Format=transient and an unencrypted NameID like so:

<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">Joe</NameID>

3 Answers

Voted

Brad Patton · Answer 1 · 2012-06-07T07:08:54+08:00

Brad Patton

2012-06-07T07:08:54+08:002012-06-07T07:08:54+08:00

We had a customer with an issue connecting to our web application. We wanted to disable encryption to help debug what we were receiving. These are the steps they used to disable encryption on their ADFS 2.0 server:

Click Start
Click Administrative Tools
Click Windows PowerShell Modules

Then, at the Windows PowerShell command prompt, type the following:

set-ADFSRelyingPartyTrust –TargetName “target” –EncryptClaims $False

5

Ryan Fernandes · Answer 2 · 2011-09-21T23:55:17+08:00

Ryan Fernandes

2011-09-21T23:55:17+08:002011-09-21T23:55:17+08:00

The way I've solved this goes like this:

Create a rule that extracts the UPN from AD
Create a transform rule that transforms the Incoming claim type: UPN to the Outgoing claim type: Name ID and choose the transient nameid-format from the 'Outgoing Name ID Format' dropdown

This causes AD to send the NameID in the format required:
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">Joe</NameID>

(I'll leave this question 'unanswered' for a while incase someone has a better solution.

2

bored-adfs · Answer 3 · 2022-03-01T07:03:13+08:00

bored-adfs

2022-03-01T07:03:13+08:002022-03-01T07:03:13+08:00

1º get-ADFSRelyingPartyTrust –TargetName “target”-EncryptedNameIdRequired (This will tell you if ADFS encrypt the nameID claim)

if EncryptedNameIdRequired= false, try:

set-ADFSRelyingPartyTrust –TargetName “target”-EncryptedNameIdRequired $true (This will turn the value EncryptedNameIdRequired= true)

I tried on my lab, but switch the value doesnt make any impact. In my case formato is not Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>. I wonder if that affects the proof.

0

send NameID claim without encryption in ADFS 2.0

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?