Issue:
When trying to login to AD FS from CPM, you may receive an error:
"The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy (invalid_response)"
The same error can be found in the CPM logs:
ERROR: complete_directory_service_signin(additional_views.py:1605) login failed. reason: The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy (invalid_response)
In the AD FS event logs the following error appears:
event id 321:
"The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor:
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName SPNameQualifier: . Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, NameQualifier: SPNameQualifier: , SPProvidedId: ."
Description:
The issue is caused by a wrong NameID format specified in the CPM configuration for an identity provider.
Resolution:
Please go to "General Settings" on the CPM, and choose an identity provider settings. Make sure the NameID format is set to "unspecified".