Error accessing application federated with AD FS - Troubleshooting Guide

Step 1

Check token signing (TS) certificate validity

Use AD FS Help Claims X-Ray to authenticate against AD FS
In the output, expand the section Token Signing Certificate to get the thumbprint and Token Signing certificate
Check the Validity Start and Validity End dates
If the certificate has expired and is not valid, follow the instructions at Obtain and Configure TS and TD Certificates for AD FS to update the token signing certificate.

Is the token signing certificate valid?

Yes No, but I have updated it using the information above.

Step 1

Check federated application settings for token signing algorithm

Contact the application administrator and confirm if the token signing algorithm configured is same as the one observed in AD FS configuration.

Was the token signing certificate misconfigured?

Yes, and now it is fixed with the above steps. No, the issue still persists.

Step 1

Is there a signing algorithm mismatch

Determine the ADFS RP Signing Algorithm configuration

Run, Get-ADFSRelyingPartyTrust -Name <RPName> | FL SignatureAlgorithm

The results will be SHA1 or SHA256

SHA1 http://www.w3.org/2001/04/xmldsig#rsa-sha1

SHA256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Determine the application requirement

Contact the application owner / administrator to ensure that the signing algorithm is correctly configured for the federated application as per the AD FS settings.

Is the issue resolved?

Yes No

Step 1

Match the NameID in the claims with the application configuration

Dump RP Issuance Transform Rules

Run (Get-ADFSRelyingPartyTrust -Name <RP_Name>).IssuanceTransformRules

Find the rule that issues the NameIdentifier claim and review the claim Value Properties

The NameID property is specified with the following syntax: Properties["property-type-URI"] = "value-URI"

EXAMPLE: c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

There are a few formats to note for NameIdentifier:

[default] urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Match the defined NameIdentifier format required by the Application / RP

To configure the NameIdentifier claim type to use the appropriate Format:

Open the ADFS management console
Expand Relying Party Trusts and then select the appropriate federation partner
In the Actions, click Edit Claims Issuance Policy
Add a new Rule, or Modify an existing Rule as needed

Once NameID format has been deterined and configured, confirm the resulting set of claims using AD FS Help Claims X-Ray

Is the issue resolved?

Yes No

Step 1

Successful

Congratulations! Your issue has been solved.

Step 1

Problem not solved

We are sorry that the problem persists. We'd appreciate it if you can provide feedback with details of your issue so that we can improve the troubleshooting workflows.