Knowledge Base

Showing results for 
Search instead for 
Did you mean: 

How do I troubleshoot Active Directory Federation Services (ADFS) SAML?

Table of Contents







After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML. As a result, you may experience problems logging in via SAML to your Controller.



You will see the following error in the Controller server.log:

[#|2018-11-29T15:42:57.360-0800|SEVERE|glassfish 4.1|
_LevelValue=1000;|Error while processing SAML Authentication Response
com.onelogin.saml2.exception.ValidationError: No name id found in Document.
at com.onelogin.saml2.authn.SamlResponse.getNameIdData(
at com.onelogin.saml2.authn.SamlResponse.getNameId(
at com.onelogin.saml2.Auth.processResponse(
at com.onelogin.saml2.Auth.processResponse(
at com.appdynamics.controller.mds.auth.MdsSamlAuthResourceImpl.consumeSAMLAuthenticationResponse(
at javax.servlet.http.HttpServlet.service(
at javax.servlet.http.HttpServlet.service(
at org.apache.catalina.core.StandardWrapper.service(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at com.appdynamics.platform.RequestOrigin.runAs(



As part of our improvements around SAML 2.0 authentication in the v4.5 release, our SAML implementation now requires a NameID assertion for Microsoft ADFS. If your configuration has not been updated to include this prior to upgrading to v4.5, you may encounter the error above.



To resolve this, add the NameID as the Outgoing Claim Type in your claim rule. You can map NameID with any unique ID (SAM-Account-Name, email, or UPN etc.). Follow the steps below prior to upgrading your Controller.


1. From your ADFS Console, select the “Relying Party Trusts” folder.
ADFS 1.png


2. Select your trust for AppDynamics and right click on it.

ADFS 2.png 


3. Choose “Edit Claim Issuance Policy…”

ADFS 3.png




4. On the Issuance Transform Rules screen, select your AppDynamics rule and click the “Edit Rule…” button.

ADFS 4.png


5. In the Edit Rule dialog, either add a new unique identifier (e.g., SAM-Account-Name) or edit the existing unique identifier (e.g., SAM-Account-Name) and map it to the Outgoing Claim Type “Name ID.”

  • Add a new unique attribute
    ADFS 5a.png
  • Edit an existing attribute
    ADFS 5b.png

6. Save your work.


7. Test to ensure that the authentication succeeds.

Version history
Revision #:
7 of 7
Last update:
a week ago
Updated by:
Labels (1)
Tags (2)