Having an issue when integrate SAML SSO with ADFS

Hi, Morpheus experts.
I wanted to ask you about SAML SSO integration. I am trying to integrate SAML SSO with ADFS and got a SAML error.
Login was successful and it showed the following error message.

In morpheus log, it had the same error message.

2023-11-09_03:54:44.67999 ‘’[2023-11-09 03:54:44,691] [http-nio-127.0.0.1-8080-exec-9]
WARN c.b.p.SamlUserService - An Account processing exception has occurred: com.bertramlabs.plugins.AccountsException: No NameID found in the subject of the SAMLResponse.

(1) This is what Morpheus generate saml metadata. This xml was used for registering as a Trust Relying party in ADFS.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://morpheus.test/saml/u1Pg0ioHb"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://morpheus-5-mgt.helionit.io/externalLogin/callback/m2zthjBEi"/>
    </SPSSODescriptor>
</EntityDescriptor>

(2) Below xml data was what is received from ADFS in morpheus log after sign-in.
In this response saml, there was no “NameID”. Wondering how can I make the NameID include in response?

<samlp:Response ID="_e6d14f0f-a796-4772-b835-b7c772bce97f" Version="2.0" IssueInstant="2023-11-10T03:38:37.198Z" Destination="https://morpheus.test/externalLogin/callback/u1Pg0ioHb" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_c8073cf8b357bc0e0bf0e3a171e7132864a8d1ef040d2eba375b5e1dcf11541f"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.*****/adfs/services/trust
    </Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_06ca0c80-22a8-4c6f-884c-b6acc0d5fcbd" IssueInstant="2023-11-10T03:38:37.198Z" Version="2.0"
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>http://adfs.test/adfs/services/trust</Issuer>
        <ds:Signature
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_06ca0c80-22a8-4c6f-884c-b6acc0d5fcbd">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>OPNtCTGnETZ801SdXE2NjNvFMaR6kHGx7Z/+BH/grnc=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>Exn2MDa1qlgsN+aKW8xdZvsstePtNtPAX6yr5lBZai3uSFacBP3EeYw1ENZiZZUuIaxldaw3rxFSGXeZ9b+XW8jbd5K32Rsn5dBf7PN1vaiUD7TSx5+Fu7hYMvfOxReoCjEexlQ4cnv7xxqrZKeLQZDA0T3H1f2zRfP1X0lp14UfxQ+z9SbzFLtRzptuJbJgr2t2cR2rgZ9UfbtlXw4NVCpWY9J5tK4b7oyrywypZL9uWdXQJDv58Iw2u0YWf8d+FHtRAw8E1GudulIyzuF0XrnWqqNKrotU6YA8jA/+Qy1cEL3A1RncVQAgsTiZRHUSTsZ/oz4eIdF+PjUwcnZfQQ==</ds:SignatureValue>
            <KeyInfo
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIC4jCCAcqgAwIBAgIQGFn6YKEdpIVPUFmDVIPx6jANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJBREZTIFNpZ25pbmcgLSBkOS1mZGZzLmhlbGlvbml0LmlvMB4XDTIzMDgyNTA4NTcxNVoXDTI0MDgyNDA4NTcxNVowLTErMCkGA1UEAxMiQURGUyBTaWduaW5nIC0gZDktZmRmcy5oZWxpb25pdC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKvHiBEN1m12Id3ZUDs3gEwmnulUESCAXvd6iinUwGmzgkUhx2wPqbK+aJcbttgWSKfBsJJaYgteZuQD54aV0udZ+9g1sMs/OG4MQJi20yvOpGQDAkFvIqT23K5qGIT1/zgYBipkBY22/rWDUqglYewzpNSZHGlg0rxD5Y2TpZkCH07qX1Wmmcp6p2znG/xAjTiMWToDB7eah2BSIDOVhTFHuRtXcCoKPbCSg6VAKu3cnwBO2fNm9jxY4+9SWsQ/kkZZbIZk4Y9mnfOqUvTQW5SxI1zklyBnwtB1Q6B0/bwRXIylchZPSCF+cZqG8hPeSeG3Ya3iPEZq3duywYlbhsUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc5veEykhaCHyQMb+CSl7Dp+t12mjyubJhxz9LczApgsq4ijEYDSD2rOcNi98mOl/KqMuMIRQCc4PcGH6SalFeB0evDgSnDU8xF+gln0EZgX0XFFt2SrV6ZE8hqOSj56vZHdofmY4/zg/2l+OmFmaaQk19L80ZK5GOb9iOby5NS9YPs0yiHeB4OtFg80dHLkrNg+dfmoy98RRBKMdEkoAzmT7T6fJrIkGQ1Bjtf+cZ5s21lDOaBqkTm9/rO55C0srMdQFd1RKBLuirtJhr0lMQ0uf5zz3B32qAMLgy6IS+dbH0msbwuiRBqEH+tFjqnhMQsRukubB7k6D2OtkSZ7hlw==</ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_c8073cf8b357bc0e0bf0e3a171e7132864a8d1ef040d2eba375b5e1dcf11541f" NotOnOrAfter="2023-11-10T03:43:37.198Z" Recipient="https://morpheus-5-mgt.helionit.io/externalLogin/callback/u1Pg0ioHb" />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2023-11-10T03:38:37.196Z" NotOnOrAfter="2023-11-10T04:38:37.196Z">
            <AudienceRestriction>
                <Audience>https://morpheus.test/saml/u1Pg0ioHb</Audience>
            </AudienceRestriction>
        </Conditions>
        <AuthnStatement AuthnInstant="2023-11-10T03:38:37.144Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

This needs to be corrected on the ADFS side to pass a NameID. Seems to be a commonly identified issue when searching online. Depending on your specific backend IDP, sounds like this can be configured a multitude of ways. You’ll need to look at your vendor specific documentation.

@cbunge thanks for reply.
I needed to define a Claim Insurance Policy rule in ADFS that map my specific LDAP attribute to the outgoing claim type - Name ID.
SAML SSO with ADFS is now working. got a hint from myF5.

This is another question, I would need to clarify while trying to limiting users in a specific AD group.
Let’s support to limit accessing users in “azs-group” only and can get the following group attributes, in saml response.

<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
    <AttributeValue>Domain Users</AttributeValue>
    <AttributeValue>azs-group</AttributeValue>
</Attribute>

and added attribute as the following:
![morpheus-adfs-sso-configurer-01|423x336]

• Role Attribute Name: http://schemas.xmlsoap.org/claims/Group
• Required Role Attribute Value: azs-group

Intended to allow ‘azs-group’ only. after this. users in the group were able to access to Morpheus portal and the logins were successful, on the other hand, users in other groups saw the below message.

Wondering if this was proper integration? any other improved steps than what I did.
I think that there would be better way of handling error process when users from other tenants tired to access.