Failed to login to AD FS with the error: "The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy (invalid_response)"

Issue:

When trying to login to AD FS from CPM, you may receive an error:

"The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy (invalid_response)"

The same error can be found in the CPM logs:

ERROR: complete_directory_service_signin(additional_views.py:1605) login failed. reason: The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy (invalid_response)

In the AD FS event logs the following error appears:

event id 321:

"The SAML authentication request had a NameID Policy that could not be satisfied.

Requestor:

Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

SPNameQualifier:

Exception details:

MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName SPNameQualifier: . Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, NameQualifier: SPNameQualifier: , SPProvidedId: ."

Description:

The issue is caused by a wrong NameID format specified in the CPM configuration for an identity provider.

Resolution:

Please go to "General Settings" on the CPM, and choose an identity provider settings. Make sure the NameID format is set to "unspecified".

Related Articles
How to Integrate CPM with ADFS to allow Idp logins from windows AD users
Background: This How-To guide will outline how to configure CPM and a windows ADFS server to allow IdP logins. Before you get started you will need to check the prerequisites. This is very important. If they are not met or the Domain and any of the ...
CPM server may display error "Signature validation failed. SAML Response rejected"
During login via Identity Provider on the sign on page or during the Test Connection, CPM server may display error message: login failed. reason: Signature validation failed. SAML Response rejected (invalid_response) You may find corresponding errors ...
Login to the CPM using an IDP may fail with the "Invalid issuer" error message
If you're using an IDP, login to the CPM may fail with the following error message: login failed. reason: Invalid issuer in the Assertion/Response (invalid_response): It also may be found in the cpm_server.log: ERROR: ...
SAML Identity Provider user log in issues
Description: This KB article describes several scenarios that could happen when SAML based Identity Provider is used to provide log in requests for the CPM. Scenario 1 User tries to log in to the CPM when he belongs to cpm_<groupname> group in the ...
Failed to open IdP login page or to test connection with the errors: "HTTP Error 503. The service is unavailable." or "404 - File or directory not found."
Issue: When trying to connect to IdP from CPM, you may receive errors: "HTTP Error 503. The service is unavailable." or "404 - File or directory not found." There are no errors in the AD FS event log or OKTA System logs, as well as CPM logs. ...

Failed to login to AD FS with the error: "The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy (invalid_response)"

Failed to login to AD FS with the error: "The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy (invalid_response)"

Related Articles

How to Integrate CPM with ADFS to allow Idp logins from windows AD users

CPM server may display error "Signature validation failed. SAML Response rejected"

Login to the CPM using an IDP may fail with the "Invalid issuer" error message

SAML Identity Provider user log in issues

Failed to open IdP login page or to test connection with the errors: "HTTP Error 503. The service is unavailable." or "404 - File or directory not found."