hi everyone,

I am working in lab to test ISE 2.4 Patch 6 with SAML using IdP ADFS 3.0 (Windows Server 2012 R2). I followed the guide https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-23/213352-configure-ise-2-3-sponsor-portal-with-ms.html but I am getting the below error (Unable to find 'username' assertion):

-----------------------------------------

<AttributeStatement>
<Attribute Name="NameID">
<AttributeValue>dmarchen@SVLAB.LOCAL</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>Domain Admins</AttributeValue>
<AttributeValue>Domain Users</AttributeValue>
<AttributeValue>Domain Guests</AttributeValue>
<AttributeValue>Schema Admins</AttributeValue>
<AttributeValue>Enterprise Admins</AttributeValue>
<AttributeValue>Wireless User</AttributeValue>
<AttributeValue>TrustSecGrp</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2019-10-11T13:49:22.320Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML decoder's URIComparator - [https://10.254.11.105:8445/sponsorportal/SSOLoginResponse.action] vs. [https://10.254.11.105:8445/sponsorportal/SSOLoginResponse.action]
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: statusCode:urn:oasis:names:tc:SAML:2.0:status:Success
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Found attribute name : NameID
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<NameID> add value=<dmarchen@SVLAB.LOCAL>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Set on IdpResponse object - attribute<NameID> value=<dmarchen@SVLAB.LOCAL>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Found attribute name : http://schemas.microsoft.com/ws/2008/06/identity/claims/role
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> add value=<Domain Admins>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> add value=<Domain Users>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> add value=<Domain Guests>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> add value=<Schema Admins>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> add value=<Enterprise Admins>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> add value=<Wireless User>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> add value=<TrustSecGrp>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Set on IdpResponse object - attribute<http://schemas.microsoft.com/ws/2008/06/identity/claims/role> value=<Domain Admins,Domain Users,Domain Guests,Schema Admins,Enterprise Admins,Wireless User,TrustSecGrp>
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAMLUtils::getUserNameFromAssertion: IdentityAttribute is set to Subject Name
2019-10-11 08:49:22,481 DEBUG [https-jsse-nio-10.254.11.105-8445-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: processing failed:
Unable to find 'username' assertion

-------------------------------------

Based on the documentation (https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_01110.html#concept_6878301F1F7C460585A4A267ECF77723) I found out this

---------------------------------------------------

"Cisco ISE does not support SAML responses with encrypted assertions. If this is configured in the IdP, you will see the following error message in ISE: FailureReason=24803 Unable to find 'username' attribute assertion.

If the authentication fails, we recommend that you check the "DetailedInfo" attribute in the authentication log. This attribute provides additional information regarding the cause of failure."

---------------------------------------------------

But I dont know how to fix it. Please provide some guidance or documentation. In the ISE 2.4 admin guide doesn't specify that it support Microsoft ADFS but anyway there is a guide to do it.