Resolving AADSTS90020: The SAML 1.1 Assertion is Missing ImmutableID of the User

Resolving AADSTS90020: The SAML 1.1 Assertion is Missing ImmutableID of the User

The error AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user occurs during SAML authentication when the assertion lacks the ImmutableID attribute. This attribute is crucial for uniquely identifying users across different systems. Without it, the authentication process fails, preventing users from accessing the intended services. This issue often arises in federated environments, such as when using Active Directory Federation Services (ADFS) with Azure AD.

Causes of the Error

The error “AADSTS90020: The SAML 1.1 assertion is missing ImmutableID of the user” occurs due to the following specific reasons:

  1. Missing ImmutableID Attribute: The SAML 1.1 assertion does not include the ImmutableID attribute, which is essential for Azure AD to uniquely identify the user. This attribute is typically mapped from the objectGUID in Active Directory.

  2. Incorrect Claim Rules: The claim rules in Active Directory Federation Services (ADFS) might not be configured correctly to issue the ImmutableID attribute. Proper claim rules need to be set up to transform and include the ImmutableID in the SAML assertion.

  3. Third-Party Identity Providers: When using third-party identity providers (IdPs) like Shibboleth, the configuration might not correctly map the ImmutableID attribute. This requires specific claim rules to ensure the ImmutableID is included in the assertion.

  4. Relying Party Trust Configuration: The relying party trust settings in ADFS might not be configured to include the ImmutableID attribute in the SAML assertion. This involves editing the claim issuance policy to ensure the ImmutableID is issued correctly.

These issues need to be addressed by configuring the appropriate claim rules and ensuring the ImmutableID attribute is included in the SAML 1.1 assertion.

Identifying the Error

To identify the error AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user in authentication logs and error messages, follow these steps:

  1. Check Authentication Logs:

    • Look for entries with the error code AADSTS90020.
    • Verify if the SAML assertion lacks the ImmutableID attribute.

  2. Common Scenarios:

    • ADFS Configuration Issues: Often occurs when ADFS is not configured to include the ImmutableID in the SAML assertion.
    • Third-Party IDP Integration: Happens when integrating with third-party identity providers that do not send the ImmutableID.
    • Claim Rules: Missing or incorrect claim rules in ADFS that should map user attributes to ImmutableID.

  3. Error Messages:

    • The error message typically indicates that the SAML token does not contain the required ImmutableID attribute, which is essential for user identification in Azure AD.

: Learn more
: Learn more
: Learn more

Resolving the Error

Sure, here are the step-by-step instructions to resolve the error ‘AADSTS90020: The SAML 1.1 assertion is missing ImmutableID of the user’ by configuring claim rules in ADFS:

  1. Open ADFS Management Console:

    • Navigate to Start > Administrative Tools > AD FS Management.

  2. Add Claim Rule:

    • In the ADFS Management Console, select the Trust Relationships node in the left pane.
    • Right-click on Relying Party Trusts and choose Edit Claim Issuance Policy.

  3. Add Issuance Transform Rule:

    • Click on Add Rule to open the Add Transform Claim Rule Wizard.
    • Choose Send Claims Using a Custom Rule and click Next.

  4. Configure Custom Rule:

    • Enter a name for the rule.
    • Use the following custom rule to map the ImmutableID attribute: 
      c:[Type == "http://schemas.xmlsoap.org/claims/UPN", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = ";objectGUID;{0}", param = c.Value);

  5. Finish and Apply:

    • Click Finish to save the rule.
    • Ensure the rule is correctly configured and applied.

  6. Test the Configuration:

    • Test the login process again to ensure the ImmutableID is correctly included in the SAML assertion.

These steps should help resolve the error by ensuring the ImmutableID is correctly included in the SAML assertion.

Preventing Future Occurrences

To prevent the error ‘AADSTS90020: the SAML 1.1 assertion is missing ImmutableID of the user’ from occurring in the future, follow these best practices:

  1. Regular Audits of Claim Rules:

    • Periodically review and update claim rules to ensure they are correctly configured and aligned with current requirements.
    • Verify that the ImmutableID claim is being issued correctly in the SAML assertion.

  2. Proper Configuration of Identity Providers:

    • Ensure that identity providers (IdPs) are correctly configured to include the ImmutableID in their assertions.
    • Test configurations thoroughly to confirm that all necessary claims are being issued as expected.

  3. Consistent Attribute Mapping:

    • Maintain consistent attribute mapping between the IdP and the relying party (RP). Ensure that attributes like ImmutableID are correctly mapped and transformed.

  4. Monitoring and Logging:

    • Implement robust monitoring and logging to quickly identify and troubleshoot issues related to missing claims.
    • Use logs to track and analyze authentication flows and identify any discrepancies.

  5. User Synchronization:

    • Ensure that user synchronization processes (e.g., Azure AD Connect) are correctly configured to populate the ImmutableID attribute for all users.
    • Regularly check for synchronization errors and resolve them promptly.

  6. Documentation and Training:

    • Keep detailed documentation of your claim rules and configurations.
    • Train your IT staff on best practices for managing and troubleshooting SAML assertions and claim rules.

Implementing these practices can help maintain a smooth and error-free authentication process.

The Error ‘AADSTS90020: The SAML 1.1 Assertion is Missing ImmutableID of the User’

The error ‘AADSTS90020: The SAML 1.1 assertion is missing ImmutableID of the user’ occurs due to missing or incorrect configuration of claim rules, identity providers, and attribute mapping in SAML authentication processes.

Resolving the Issue

To resolve this issue, it’s essential to properly configure custom rules for issuing claims, ensure consistent attribute mapping between identity providers and relying parties, and maintain robust monitoring and logging to quickly identify and troubleshoot issues related to missing claims.

Prevention Strategies

Regular audits of claim rules, proper configuration of identity providers, user synchronization, and documentation and training are also crucial in preventing this error from occurring in the future.

  • Oct 05, 2024
  • Roderick Webb
  • No Comments
Share:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *