I'm an SP, using SP Initiated SSO to an IDP that's using ADFS.
Initially I had their PartnerIdentityProvider configured in my saml.config to use "NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient""
I only set this because I used it successfully with a previous IDP partner.
However, when I send them an AuthNRequest, their response fails to send to me; it bombs out on their side with the following error:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token.
Any thoughts on this error; can I just remove the optional NameIDFormat; what case would i have to specificy it?
Also, I'm using the following on my side to reference their attributes:
IDictionary<string, string> attributes = (IDictionary<string, string>)Session[SAML.AssertionConsumerService.AttributesSessionKey];
Does the attributes stored also include their friendly name; can i search off friendly name?
Full error provided by IDP
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)