I have integrated Azure login through ADFS and in ADFS I have a third-party claims provider configured which will do multi-factor authentication.
But after I logon to the ADFS through the claim provider, I configured I get the following error. Could someone help me here.
Request Id: ae31a9f4-d84a-4042-bdb6-f39506a8f200
Correlation Id: 49c2fd45-82d8-44fa-8d5d-b81711ce48d3
Timestamp: 2021-03-03T08:46:18Z
Message: AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user.
82173-azure-adfs-relying-party-rules-exported.pdf
PFA exported rules.
I see for all the users. There is no problem with the same relying party when I use AD to sign-in from ADFS. The issue is present only when the third-party IDP (claim provider) is selected to logon.
There are no issues from the IDP side actually. It authenticates the user and ADFS approves the same and getting redirected to the Azure portal as expected. But azure denies it with the error reported in this thread. Kindly help me here.
Thanks,
Hello @BharathVenkataramakrishnan-5788,
You are trying following article to configure Integration with Office 365/Azure AD.
Scenario:
Resolution:
We were able to resolve the issue after adding below custom rule from claim provider trust you were created for federation with third party Identity provider.
Custom Rule:
c:[Type == "netbiosName"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Above rule would transform "netbiosName" value as "windowsaccountname"
To learn more about ADFS claim rule, read:
https://docs.microsoft.com/en-us/archive/blogs/askds/ad-fs-2-0-claims-rule-language-primer
Hope this helps.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello @BharathVenkataramakrishnan-5788,
Thanks for reaching out.
According to error message about “AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user”, it seems to be ADFS could not delivery ImmutableID in assertion (Token).
To fix this issue, I would request you to verify if below mentioned claim present in Relying party trust, by opening ADFS Management in ADFS server --> ADFS --> Relying party trust --> Right click on "Microsoft Office 365 Identity Platform" --> Edit claim issuance policy -->
`c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
Note: make sure ImmutableID claim rule doesn't existing twice, because even duplicate entry may cause issue.
also, we would like to share one similar thread URL link, it may provide you some suitable
information regarding this error message:
https://social.technet.microsoft.com/Forums/en-US/95de802a-c304-465c-8907-def266767e1d/error-aadsts90020-the-saml-11-assertion-is-missing-immutableid-of-the-user?forum=winservergen
-------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Should I delete these rules.?
These rules require when you are using "SOURCE ANCHOR" as "mS-DS-ConsistencyGuid" as shown below? if not then you can delete above rules ( from #2 to #5) and just add previously suggested ImmutableID rule which should work.
Could you please confirm, this issue is specific with setup of users or with all ? also if possible could you please export manually all of existing ADFS issuance transform rule and share with me so that I can verify it? Thanks.
I have deleted the rules 2 to 5 and configured the one you shared with me earlier. But no luck. The same error is displayed.
Here are the current set of rules.
Could you please confirm, this issue is specific with setup of users or with all ? also if possible could you please export all existing ADFS issuance transform rule manually and share with me so that I can verify it? Thanks.
Hi Team, Any update on this issue.? Any help here would be great.
3 people are following this question.
