Unable to log in using IDP. 'NAME_ID' not found in SAML response for AD FS

Error Message

When using the Active Directory Federation Services (AD FS) SAML IDP, the following error is returned when trying to log in to ArcGIS Enterprise portal via SAML logins:

Unable to log in using Idp. 'NAME_ID' not found in SAML response

Cause

The SAML NameID attribute is missing from the <Subject> element of the SAML assertion response.

Solution or Workaround

1. Open the AD FS management console.
2. Select Relying Party Trusts. In the Relying Party Trusts window, select the SP corresponding to your enterprise portal.
3. On the Actions tab, click Edit Claim Issuance Policy (ADFS 4) or Edit Claim Rules (ADFS 3), and select the Issuance Transform Rule and click Edit Rule.
4. In the Edit Rule window, click View Rule Language.
5. Verify that the Name ID attribute is sent using the type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
6. If this attribute is missing, add a new claim for the Name ID attribute. For the Outgoing claim type, choose the value Name ID from the drop-down list of options.