Attempting to log into Freshservice configured with ADFS fails with: "Login was unsuccessful! - Validation Failed : ["The status code of the Response was not Success, was Requester => InvalidNameIDPolicy"]"

Problem

You’ve successfully completed configuring Freshservice with your on-premise ADFS so users can use their Active Directory credentials to log into the portal as per the following documentation:

Configuring ADFS for Freshservice with SAML 2.0
https://support.freshservice.com/support/solutions/articles/226938-configuring-adfs-for-freshservice-with-saml-2-0

However, upon successfully entering Active Directory credentials to the AD FS login page, the redirect back to the Freshservice portal fails with:

Login was unsuccessful! - Validation Failed : ["The status code of the Response was not Success, was Requester => InvalidNameIDPolicy"]

Reviewing the event logs of the AD FS server reveals the following event ID 364 logged:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Saml

Relying Party:

https://helpdesk.contoso.com

Exception details:

Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: null.

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

An event ID 321 is also logged:

The SAML authentication request had a NameID Policy that could not be satisfied.

Requestor: https://helpdesk.contoso.com

Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SPNameQualifier:

Exception details:

MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: null.

This request failed.

User Action

Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.

Solution

A ticket was opened with Freshservice but the support engineer was unable to resolve the issue so I reviewed the configuration and paid attention to the Issuance Transform Rules:

Then read some of the documentation provided by Freshservice, which pointed to the fact that the user’s email address will act as the user name in Freshservice:

https://support.freshservice.com/support/solutions/articles/193635-single-sign-on-for-freshservice-using-saml

Attribute	Attribute Name	Required?	Description
Email Address	NameID	Yes	Email address of the user will act as the user name in Freshservice. When a new user logs in, Freshservice will create an account using this Email address automatically.

 

The client for this environment originally had their Office 365 deployed without AD Connect and therefore user accounts in Active Directory did not have the E-mail attribute populated:

This ended up being the reason why the error message was thrown as a blank e-mail address was being passed to Freshservice. Populating the user’s E-mail attribute corrected the issue.

In addition to the issue above, some accounts began displaying the following error message after their E-mail attribute was populated:

If you get a Login Unsuccessful

This ended up being caused by an contact that already existed in Freshservice and could be remediated by navigating to User Management > Contacts and deleting the object: