When using the Active Directory Federation Services (AD FS) SAML IDP, the following error is returned when trying to log in to ArcGIS Enterprise portal via SAML logins:
Unable to log in using Idp. 'NAME_ID' not found in SAML response
The SAML NameID attribute is missing from the <Subject> element of the SAML assertion response.
Solution or Workaround
- Open the AD FS management console.
- Select Relying Party Trusts. In the Relying Party Trusts window, select the SP corresponding to your enterprise portal.
- On the Actions tab, click Edit Claim Issuance Policy (ADFS 4) or Edit Claim Rules (ADFS 3), and select the Issuance Transform Rule and click Edit Rule.
- In the Edit Rule window, click View Rule Language.
- Verify that the Name ID attribute is sent using the type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- If this attribute is missing, add a new claim for the Name ID attribute. For the Outgoing claim type, choose the value Name ID from the drop-down list of options.