Configure SSO at a VP teamwork server with ADFS using SAML 2.0

General Questions/Discussions
1

We would like to integrate our VP teamwork server running on premises with our Microsoft ADFS server on-premises.

We have tried the integration but we are getting the following errors in VP server log:
InvalidNameIDPolicy (see below).

I have searched the Internet and there are several articles on adding the right claim rules that can fix this.
We have tried several of them, but it keeps failing.
1 Create an LDAP claim mapping email address to email address claim type
2 Create a transform rule mapping incoming email to outgoing NameID.

So my question, Is there any instruction / how-to to setup SSO on a VP team work server with a on-premises ADFS servers usiing SAML 2.0?

[2021/03/10 11:42:17] [error]
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode></samlp:Status></samlp:Response>

Greetz,
Hanko

2

Dear Hanko,

Thank you for your post. I have relayed your case to our engineers to study. When there is any feedback, I will let you know.

Best regards,
Jick Yeung

3

Hi Hanko,

Would you study this guide for confirm the configuration of saml integration?

4

Hi Mercus, thanks for your reply and sharing the document.
I have already studied this document but it is not of much help because our use case is different.
We are using ADFS as our Identity Provider (IdP) and the configuration is a bit different.
You need to add a claims aware relying party trust in ADFS.

Next step is the to upload the ADFS metadata document in the VP Team Server and it technically should work.
However I am getting this Invalid ID Name Policy when I apply the metadata file. This seems to be a very common error if you search the internet and you need to add some claim rules to transform the ID name to the right format.
Here is an example if you want to connect to Oracle Cloud where you have to add these two claim rules.
We applied this logic but still facing the same Invalid ID Name Policy error.

It would be great if there would be some documentation available how to do this with ADFS.

Greetz,
Hanko

5

Well, I have got good news. We managed to get our VP teamwork server integrated with our ADFS server using SAML 2.0.
You need to follow the steps in Microsoft guidance document pasted in the thread “Create a Relying Party Trust”
The next step is to define the claim rules that will allow you to connect to the ADFS server successfully.

You need to add two claim rules:

  1. Send LDAP attribute as claims: Create a Rule of Active Directory Send attribute as store “Active Directory” and map LDAP attribute “E-mail-Addresses” with Outgoing claim type UPN

  2. Transform an Incoming claim:
    Incoming Claim Type: UPN
    Outgoing claim type: Name ID
    Outgoing name ID format: Email

It is also described in the link below, but only replace uid with UPN when you are following this guidance.
https://www.peppercrew.nl/2017/12/adfs-3-0-versus-php-simplesaml/

Greetz,
Hanko

1 Like