'ADFS + OpenID Connect email claim and external ADFS

I'm having difficulties setting up ADFS with OpenID Connect on Windows Server 2016.

I've setup AD for testing and I can successfully authenticate, however the email claim is not in the id token.

Additionally I've setup an external ADFS in the Claims Provider trust. It is displayed as an option, however upon logging in I get the error:

    MSIS9642: The request cannot be completed because an id token is required but the server was unable to construct an id token for the current user.

Anybody have suggestions on how to fix this?

active-directoryadfsopenid-connectwindows-server-2016


Solution 1:[1]

To solve the problem with the missing AnchorClaimType parameter for additional added Claim Provider Trusts (CPT) a workaround for Windows Server 2016 TP5 (until end of support) can be used.

Workaround:

  1. If CPT is already existing, delete the CPT.
  2. Use the powershell command Add-AdfsClaimsProviderTrust
    • Either parameter wise (see Technet Description)
    • Or using a Metadata URL + the Parameter -AnchorClaimType "yourAnchorClaimValue".
  3. Create at least one inbound rule that passes through the value for the primary input claim

In my case the following PS command solved the problem:

[String]$ClaimProviderTrustName = "YourCPTName"
[String]$MetaDataURL = "https://..."
[String]$AnchorClaimType = "YourAnchorClaimValue"
Add-AdfsClaimsProviderTrust -Name $ClaimProviderTrustName -MetadataUrl $MetaDataURL -AnchorClaimType $AnchorClaimType

Solution 2:[2]

I work at Microsoft. My customer had this same error. This is how we fixed it. We used Claims x-ray. We had them do a login with an identity from Active Directory and then do a login with an identity that uses an external claims provider trust.

When we compared the Claims X-Ray output, the value for anchorclaimtype didn't look right on the claims provider trust test login. We made a change in the claims provider to issue http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress as the anchor claim type and it resolved the problem.

[email protected]

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 PatrickW
Solution 2 Michael Hall

Related Questions

List users from specific groups

.NET Core 6 Windows auth and Active Directory group based permissions

Reading the SECURITY_ENABLED flag of Group in Active Directory

How can I pull Mail Contact groups for each contact with powershell?

Tomcat Manager - Active Directory Authentication

Java: Connect to Active Directory via serverless binding?

What is a more modern .NET library to use with Active Directory than System.DirectoryServices.AccountManagement?

Search Outlook Global Address List Asynchronously

Unable to retrieve cross domain users with get-adgroupmember -recursive

How to Bind asynchronously with LdapConnection

When generating a unique username in Active Directory, numbers do not increment correctly

Powershell Creating Password Expiration Report

Show "Microsoft Active Directory" information table in WordPress

Do we need Active Directory Domain Controller to run any PowerShell commands?

How do I solve error with Active Directory Search using user name