If you are using Microsoft ADFS for SAML authentication and receive a "sspmod_saml_Error: Requester/InvalidNameIDPolicy" response in the simplesamlphp.log file, the issue is that your IdP is not accepting the NameID parameter being provided by SimpleRisk in transient format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient). In order for you to get it working, you need to enable support for transient NameIDs (requested by default from our SAML application):


This Cisco document that outlines really nicely how to do this, assuming it is ADFS.  See "Step 11" of this document:


https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118771-configure-samlsso-00.html


In a nutshell, this tells ADFS to send the NameID in that transient format.  Here's one example using the windowsaccountname as the anchor:


c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");


Here's another example of a custom rule using UPN as the anchor:


c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]

 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");


Here are a few additional resources that may help to get you over the hump: