Hello @Dinesh Loganathan
Welcome to the Microsoft Q&A and thank you for posting your questions here. To affirm your question, you encountered an error "SAML 1.1 Assertion is missing ImmutableID" and you will need guides to create a rule in ADFS, but not sure what create either to create claim rule or claim issuance policy or both.
Most of all, in the context of Active Directory Federation Services (ADFS), you typically create a claim rule to address issues related to claims transformation and issuance. A claim rule is used to define how incoming claims from an identity provider (IdP) are processed and transformed before being sent to a relying party (RP).
Also, for the specific issue of mapping the ImmutableID attribute when using Shibboleth as a second claims provider in your ADFS setup, you should create a claim rule.
Therefore, I provided guides here to help you with the solution required and how to create a claim rule: To resolve the SAML 1.1 Assertion missing ImmutableID issue in your ADFS setup with Shibboleth, you need to create a claim rule to map the ImmutableID attribute correctly. The ImmutableID attribute is crucial for Office 365 to correctly identify and match the user.
Here are the steps to create a claim rule in ADFS:
- Open the ADFS Management Console: Navigate to "Start" > "Administrative Tools" > "AD FS Management."
- Add Claim Rule: In the ADFS Management Console, select the "Trust Relationships" node in the left pane. Right-click on "Relying Party Trusts" and choose "Add Relying Party Trust" to open the wizard.
- Claim Rule Configuration: Follow the wizard to configure the relying party trust settings until you reach the "Issuance Authorization Rules" page.
- Add Claim Rule: Click on "Add Rule" to open the "Add Issuance Authorization Claim Rule" wizard.
- Choose Rule Type: Choose "Send Claims Using a Custom Rule" and click "Next."
- Configure Rule:
Enter a meaningful name for the rule.
Enter similar to the following as the custom rule language to map the ImmutableID attribute:
c:[Type == "http://schemas.xmlsoap.org/claims/UPN", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = ";objectGUID;{0}", param = c.Value);
This rule essentially says that if the claim type is UPN and comes from the AD Authority (your Windows AD), it should issue an ImmutableID using the objectGUID. - Complete Wizard: Click "Finish" to complete the claim rule creation.
- Apply Changes: Ensure to apply the changes to the relying party trust.
- Test: After configuring the claim rule, test the login process again to Office 365 using Shibboleth as the second claims provider. This claim rule should resolve the SAML 1.1 Assertion missing ImmutableID issue. Ensure that the rule is correctly configured, and the syntax is accurate. Adjustments might be necessary based on your specific configuration. NOTE: The information provided here is based on general knowledge. I hope this is helpful! Do not hesitate to let me know if you have any other questions. Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution. Best Regards, Sina Salam