Symptoms
SAML authentication does not work with all attributes. SAML works only with UPN, email, sAMAccountName, and Description.
For example, the Attribute "user_uuid" (SAML attribute) to "uid" (AD attribute) will not work when those attributes are set in the SAML Attribute Properties.
User fails to log in with SAML, error: Logon using SAML failed. Error: SAML attribute: nameid not found is thrown.
[D 72/00000004/T08E8/P13F4] 18-03-25 09:47:55 - SAML - User:'abc.zyx@zzz.onmicrosoft.com' - SAML attribute: nameid not found
[I 72/00000005/T08E8/P13F4] 18-03-25 09:47:55 - SAML - User:'abc.zyx@zzz.onmicrosoft.com' - Failed to get User with AD attribute: 'uid' and value '5a826ddf-0015-48b8-ad8a-xxxxxxxx'
[E 72/00000006/T08E8/P13F4] 18-03-25 09:47:55 - SAML - User:'abc.zyx@zzz.onmicrosoft.com' - Failed to find AD user for abc.zyx@zzz.onmicrosoft.com
[E 0E/0000002C/T08E8/P13F4] 18-03-25 09:47:55 - SAML: Failed to Identify User from Assertion
[T 00/00000000/T08E8/P13F4] 18-03-25 09:47:55 - Error Msg: Logon using SAML failed. Error: Failed to match AD User. (0X00000006)
Cause
Some AD attributes, such as uid are not added to Global Catalog by default, and must be added manually through the Active Directory Schema snap-in.
Win uid attribute - Win32 apps - See the value In Global Catalog
Resolution
Active Directory Schema snap-in must be enabled first by executing regsvr32 schmmgmt.dll from Run, CMD, or PowerShell. It will then appear as an option in the list of available snap-ins
With the snap-in loaded, click on Attributes and then look for uid (type u i d in quick succession to jump to it). Double-click and tick “Replicate this attribute to the Global Catalog“, then Apply, and OK.
The Domain Controller should be restarted to apply the above changes.
Once the replication of the UID attribute to the Global Catalog is complete, SAML login using the UID attribute should function properly.
Was this article helpful?
Tell us how we can improve it.