Attempts to log in through Single Sign-On (SSO) result in the following error:

Error: urn:oasis:names:tc:SAML:2.0:status:Requester

The full error message is:

{“error”: “The IdP sent the status code ‘urn:oasis:names:tc:SAML:2.0:status:Requester’. The optional second-level status code was ‘urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy’. See paragraph 3.2.2.2 of the SAML specification for more information.”}

The ADFS log shows this error:

MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False, Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, SPNameQualifier: (none). Actual NameID properties: null.

Causes and solutions

Cause 1

The account does not have an email address in Active Directory.

Solution 1

Do one of the following:

• Add an email address to the affected user in Active Directory.
• Log in with a Zivver account that corresponds to a user in Active Directory with an email address.

Cause 2

There is a problem with the ADFS claim rules.

Solution 2

Split the first claim rule into two separate claim rules. This rule is often named AD Attributes.

To do this:

1. Create one claim rule that maps the LDAP attribute ObjectGUID to the outgoing claim type https://zivver.com/SAML/Attributes/ZivverAccountKey.
2. Create a second claim rule that maps the LDAP attribute E-mail Addresses to the outgoing claim type E-Mail Address.