I am working on a SAML integration with some monitoring software, but I keep receiving the MSIS7070 error below. I have tried numerous transform combinations with no luck. I am certain this is something relatively easy to fix, but my AD FS knowledge is minimal. I am guessing it has something to do with my claim issuance policy? I am trying to send the email address back to the SP. I ensured that the account I am testing with has an email associated with it. Any guidance would be appreciated.
Service provider requirements:
SP specifies urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress for the format of the NameIDPolicy in assertion requests.
Event viewer error
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
Rule Language
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"), query = ";mail;{0}", param = c.Value);
