Attempts to login through single sign-on (SSO) result in

Error: urn:oasis:names:tc:SAML:2.0:status:Requester

The full error is as follows.

{“error”: “The IdP sent us the status code ‘urn:oasis:names:tc:SAML:2.0:status:Requester’. The optional second-level status code was: ‘urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy’. Consult paragraph 3.2.2.2 of the SAML spec for more info.

The ADFS log shows this error:

MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properaties: null.

Causes and solutions

Cause 1

The account has no email address in Active Directory.

Solution 1

Do one of these two actions. - Add the email address to the affected user in Active Directory. - Log in with a Zivver account for which there is an email address added to the corresponding user in Active Directory.

Cause 2

Problem with the ADFS claim rules

Solution

Split the first claim rule into two separate claim rules. Often the name of this rule is AD Attributes.

To do this:

1. Create one claim rule that maps the LDAP attribute ObjectGUID to the outgoing claim type https://zivver.com/SAML/Attributes/ZivverAccountKey.
2. Create a second claim rule that maps the LDAP attribute E-mail Addresses to the Outgoing Claim Type E-Mail Address.