Federated Authentication: Unsuccessful login with external provider


Description

Federated Authentication needs the nameidentifier claim in order to proceed with authentication. However, not all the identity providers send this claim (as well as the nameID claim) by default. If the claim is missing, the following error appears in the browser window:

Error: "Unsuccessful login with external provider"

Solution 1

To fix this issue, apply the following transformation to the Federated Authentication configuration files:

<transformations hint="list:AddTransformation">
   <transformation name="Name Identifier Claim" type="Sitecore.Owin.Authentication.Services.DefaultTransformation, Sitecore.Owin.Authentication">
    <sources hint="raw:AddSource">
      <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />
    </sources>
    <targets hint="raw:AddTarget">
      <claim name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" />
    </targets>
    <keepSource>false</keepSource>
  </transformation>
  ...

Solution 2

To fix this issue, configure an identity server to send the name identifier (NameID) claim.

The following is an example for the Active Directory Federation Services (ADFS):

  1. Open the Server Manager Dashboard.
  2. Click Tools, AD FS Management.
  3. Click the Relying Party Trusts folder.
  4. Select the corresponding entry.
  5. Click Edit Claim Issuance Policy.
  6. Double-click the relevant rule.
  7. Add mapping for the User-Principal-Name attribute and the Name ID claim. 
  8. Apply the changes.