KNOWLEDGE BASE

Error "NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration" Received When Using SSO with AD FS


Published: 10 Dec 2019
Last Modified Date: 14 Oct 2020

Issue

When using SSO with AD FS as the SAML IdP, the following error may occur: 

Error validating SAML message; caused by: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration

Environment

  • Tableau Online
  • SAML
  • AD FS

Resolution

Step One

Update the LDAP Claim Mapping to use Email Addresses for the Outgoing Claim Type: 
  1. Select Edit Rule for the Tableau Online policy Attributes
  2. Ensure Outgoing Claim Type is set to Email Addresses
Note: See the below screenshot. The LDAP Attributes may be different depending on your ADFS configuration. 
User-added image

Step Two

Create a Transform Claim Rule to change the Outgoing Claim Type to NameID: 
  1. Select Add Rule
  2. Select Transform an Incoming Claim
  3. Enter a name (Example: Email to Name ID). 
  4. For Incoming claim type, select Email Addresses
  5. For Outgoing claim type, select Name ID
  6. For Outgoing name ID format, select Email. 
  7. Make sure Pass through all claims is selected. 
  8. Select Finish.

Step Three

Configure Tableau Online to use NameID for the email attribute:
  1. Sign in to your Tableau Online site as a site administrator, and select Settings > Authentication.
  2. On the Authentication tab, under SAML, select Edit connection.
  3. In the Identity Provider (IdP) Assertion Name column, change the Email attribute to NameID.
  4. Click Apply.

Cause

AD FS was not configured to send the NameID in the Subject.
Did this article resolve the issue?