Use AD FS Help Claims X-Ray to authenticate against AD FS
- In the output, expand the section Token Signing Certificate to get the thumbprint and Token Signing certificate
- Check the Validity Start and Validity End dates
If the certificate has expired and is not valid, follow the instructions at Obtain and Configure TS and TD Certificates for AD FS to update the token signing certificate.
Error accessing application federated with AD FS
What does this guide do?
This workflow helps to resolve sign-in issues for applications federated with Active Directory Federation Services (AD FS). Use this workflow if users are getting an error in an application federated with AD FS.
Who is the target audience?
AD FS Administrator, Application administrator
How does it work?
We’ll begin by asking you the symptom and then we’ll take you through a series of troubleshooting steps that are specific to your situation.
Check token signing (TS) certificate validity
Check federated application settings for token signing algorithm
Is there a signing algorithm mismatch
Determine the ADFS RP Signing Algorithm configuration
Run, Get-ADFSRelyingPartyTrust -Name <RPName> | FL SignatureAlgorithm
The results will be SHA1 or SHA256
Determine the application requirement
Contact the application owner / administrator to ensure that the signing algorithm is correctly configured for the federated application as per the AD FS settings.
Match the NameID in the claims with the application configuration
Dump RP Issuance Transform Rules
- Run (Get-ADFSRelyingPartyTrust -Name <RP_Name>).IssuanceTransformRules
Find the rule that issues the NameIdentifier claim and review the claim Value Properties
- The NameID property is specified with the following syntax: Properties["property-type-URI"] = "value-URI"
EXAMPLE: c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
There are a few formats to note for NameIdentifier:
- [default] urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Match the defined NameIdentifier format required by the Application / RP
To configure the NameIdentifier claim type to use the appropriate Format:
- Open the ADFS management console
- Expand Relying Party Trusts and then select the appropriate federation partner
- In the Actions, click Edit Claims Issuance Policy
- Add a new Rule, or Modify an existing Rule as needed
Once NameID format has been deterined and configured, confirm the resulting set of claims using AD FS Help Claims X-Ray