Ninja Nichols

The discipline of programming

Passing ADFS Claims to Shibboleth

According to the official Shibboleth documentation ( ingesting claims from ADFS into Shibboleth requires adding the following mapping rules to /etc/shibboleth/attribute-map.xml:

<!-- WS-Fed attributes -->
<Attribute nameFormat="" name="CommonName" id="cn"/>
<Attribute nameFormat="" name="EmailAddress" id="email"/>
<Attribute nameFormat="" name="UPN" id="userPrincipalName"/>
<Attribute nameFormat="" name="Group" id="group"/>

This is NOT correct. Maybe it worked with older versions, but it doesn’t work at all with Shibboleth 2.4 and ADFS 2.x.

After much digging I stumbled across some interesting entries in the Shibboleth daemon log file /var/log/shibboleth/shibd.log. After each login attempt there were a number entries about unmapped SAML attributes:

2015-01-14 16:00:37 INFO Shibboleth.AttributeExtractor.XML [90]: skipping unmapped SAML 2.0 Attribute with Name:, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Helpfully that log message tells us the Name and Format of each unmapped attribute. Plugging those values in results in an attribute mapping like this instead:

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="" id="group"/>

AD FS 2.0 Service Fails to Start


  1. Instead of a login page, the user is presented with:
    There was a problem accessing the site. Try to browse to the site again.
    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
    Reference number: 7aaab8f7-85ed-4910-9f4f-d105100cb604
  2. Going to Administrative Tools -> Services reveals that AD FS 2.0 service is not started. Trying to start the service manual results in:
  3. Event 220 appears in AD FS 2.0 Event Viewer logs:
    The Federation Service configuration could not be loaded correctly from the AD FS configuration database. 
    Additional Data 
    ADMIN0012: OperationFault
  4. Event 352 appears in AD FS 2.0 Event Viewer logs:
    A SQL operation in the AD FS configuration database with connection string Data Source=\.pipemssql$microsoft##sseesqlquery;Initial Catalog=AdfsConfiguration;Integrated Security=True failed.  
    Additional Data 
    Exception details: 
    A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)


  1. Start “Windows Internal Database” service.
  2. Now you can start the “AD FS 2.0 Windows Service”.