SAML changes with ADFS

Configure ADFS to connect to Tradeshift 

This document describes how to configure ADFS to connect to Tradeshift via SSO (SAML).
For troubleshooting existing connections, see ADFS Configuration Troubleshooting.


Open the Server Manager 

Open the AD FS Management tool 

Add Relying Party Trust 

Select the option Claims aware

Select the option Enter data about the Relying party manually

Input a Display name (ie: Tradeshift)

Upload the SP encryption certificate (see above)

Check Enable support for the SAML 2.0 WebSSO protocol and input the SSO service URL https://accounts.tradeshift.com/saml/SSO/alias/saml

Relying party trust identifier: https://accounts.tradeshift.com.

Click Add and make sure the value is in the list before you proceed.

Accept the policy Permit everyone

Accept the defaults until the end of the wizard. 

Right-click the Relying Party Trust you just created (i.e. Tradeshift), and click Properties 

Under the Signature tab, click Add to upload the same certificate as for Encryption

Under the Advanced tab, select SHA-1 and click OK.

Right-click the Relying Party Trust (i.e. Tradeshift) and click Edit Claim Issuance Policy

Click Add Rule

Select the Claim rule template “Send LDAP Attribute as Claims”

Map the LDAP attribute you use for email addresses (the same one you would use for Tradeshift - UPN, Email, etc.) to the SAML field used on Tradeshift - this is how we find your user in Tradeshift.

Claim rule name: Tradeshift Claims

Attribute store: Active Directory  

Map your LDAP attribute (e.g. User-Principal-Name) to 0.9.2342.19200300.100.1.3 

E.g. If UPN is not your email address, make sure AD has your email under Email and create the following mapping: E-Mail-Addresses to 0.9.2342.19200300.100.1.3 

Click Finish 

Click Add Rule to add a NameID Policy transform rule 

Claim rule template: Send Claims Using a Custom Rule 

Claim rule name: NameID Policy Transform

Custom rule: (copy-paste the following as one long line) 

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType  = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "saml"); 

Click Finish, then OK 

Done. You can now start creating users.

ADFS Configuration Troubleshooting 

Most common issues found during the configuration of ADFS IdPs. 

SignatureVerificationFailedException (ID4037) 

The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier( IsReadOnly  = False, Count = 1, Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause)'. Ensure that the SecurityTokenResolver is populated with the required key. 

Problem: missing signing certificate 

Solution: See section above titled "Under the Signature tab, click Add to upload the same certificate as for Encryption"

InvalidNameIdPolicyException (MSIS7070) 

The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True  Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: saml. Actual NameID properties: Format: urn: oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: . Problem: AuthnRequest NameIDPolicy attribute SPQualifierName mismatch

Problem: Transform rule to map the NameID policy is missing
Solution: See section above titled "Click Add Rule to add a NameID Policy transform rule"

RevocationValidationException (MSIS3014) 

The encryption/signing certificate of the relying party trust 'https://accounts.tradeshift.com' identified by thumbprint  '1083C418421E2C234DEDA2AC8D7E5CAD0B2AF562' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

Problem: The encryption/signing certificate is not trusted 

Solution: Turn off Certificate Revocation Check for Encryption and Signing certificates: 

Open Powershell (Right-click > Run as an administrator, if needed) 

Assuming the Relying Party Trust is named “Tradeshift”, copy-paste this command 

Set-ADFSRelyingPartyTrust -TargetName "Tradeshift" -EncryptionCertificateRevocationCheck None -SigningCertificateRevocationCheck None