question

DomenicoBochicchio-3246 avatar image
1 Vote"
DomenicoBochicchio-3246 asked ·

ADFS - AAD integration - No AzureAD Connect - SAML ImmutableID error

Hello everyone,

I'm working on enabling login to an adfs-federated Enterprise Web App through AAD SAML. I haven't found any good documentation on the matter (or blogpost) which describes my specific usecase so I'm mostly doing trial and error. I know there are a few microsoft doc pages about federating enterprise apps and adfs but in my case I need to strictly avoid using Azure AD connect so I'm stuck without any reliable documentation (that I've found this far)

Background info on the situation and overview

The SAML cycle should be SP initiated (starts on the ADFS authentication page) by choosing the AAD-based login on login.microsoftonline.com/app_id page and then bring back to the application page.

The IdP should be Azure Active Directory (where the users should be stored, also AAD should pass the claims to ADFS) and that's pretty much the bulk of the relevant information.

Now, a few weeks ago I had it all set up (enteprise app created in my Azure tenant, federation metadata document imported in the relying party trust I created in adfs corresponding to the web app, thumbprint added in the web config for the IIS web application, endpoints configured in the Relying Party's properties, all of the relevant properties set in Azure in terms of application ID and assertion consumer service URL) and everything except the claim passthrough was configured and working properly.

I logged in through the ADFS page, chose the Enterprise Application amongst the "Tiles", got redirected to the login.microsoftonline page, logged with the user, got redirected again to the application page where I got an applicative error due to no claims (of course, since I hadn't configured this part yet). All good.

The problem at hand:

Recently, I picked the matter up again and I noticed that in Azure I have a new claim configured (unless I'm hallucinating and it's always been there?)
I'm having a hard time uploading an image so

https : //imgur.com/a/MlfMakz

this is what I'm talking about. I haven't changed this part, and now when I login I'm getting this error

https : //imgur.com/a/JAIuXzV

on the /wsfed endpoint of the login.microsoftonline/appid page that the authentication process takes me to (after inserting my credentials).

Does anyone know how to handle this? If any additional information is required to make the scenario clearer, let me know please. I have already tried the Azure embedded troubleshooting tool that is supposed to take in the error code and give you assistance in solving the problem, but it doesn't recognize this one. Also advanced troubleshooting disables itself every time I enable it and refresh (extensionless updated Chrome)

Thanks a lot in advance


azure-active-directoryadfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@DomenicoBochicchio-3246 If I understood your scenario correctly, you have an application with SP initiated sign-in flow that redirects to ADFS and after successful authentication ADFS then redirects to Azure AD with a SAML token. Azure AD is now supposed to receive SAML token and issue ID & Access token. That is where you encounter error AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user. If that is the case, you need to have below issuance transformation claim rule on your ADFS Server for Office 365 relying party:

c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID";]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";, Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format";] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

The above claim rule should take care of AADSTS90020 error but as far as I know, Azure AD would still require user to be synced to it to complete the authentication and authorization.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft and thank you so much for answering.

I already tried that solution (https://social.technet.microsoft.com/Forums/windowsserver/en-US/6942909c-07de-427c-a16a-603c99af33ad/how-to-change-claim-type-of-relying-party-trust-from-saml-20-to-saml-11?forum=ADFS I got it from here) and I applied it to the claims issuance policy for the relying party in question (see image below)

https : //imgur.com/a/9k8iImp

However I'm still getting the same error during the authentication flow.

I'm not a huge expert of this kind of integration, so I want to specify that the rest of the instances of this web application are federated on ADFS by using ADFS itself as IdP, Active Directory as attribute store and custom claim issuance rules that extract and pass the attributes to the security module of our application after the AuthN and AuthZ from AD FS, so this scenario is kind of a first.


1 Vote 1 · ·

PART 2:

The relying party in this case is the name of the application instance to federate (https://myapplication.certificate.com/), I added login.microsoftonline.com/app_id/saml2 as POST SAML endpoint in the RP configuration (should it be POST, redirect or artifact here? I'm not sure), left the WS Fed endpoint as login.microsoftonline.com/app_id/wsfed and added sts.windows.net/app_id (see image below) as RP identifier

https : //imgur.com/a/SPfihKt

1 Vote 1 · ·