(2014-10-16) Enabling RelayState In ADFS Versions
Posted by Jorge on 2014-10-16
RelayState is a parameter of the SAML federation protocol that is used to identify the specific target resource the user will access after they are signed in and directed to the relying party’s federation server.
Except for ADFS v1.0 and ADFS v1.1, and starting with ADFS v2.0 (after installing RollUp 2) and higher, the RelayState parameter is supported!
–
Enabling RelayState In ADFS v2.0
REMARK: make sure to have RollUp 2 installed!
- Navigate to the folder "C:\inetpub\adfs\ls"
- Open and Edit the file "web.config"
- Navigate to the section "<microsoft.identityServer.web>"
- Add the the line/entry: <useRelayStateForIdpInitiatedSignOn enabled="true" />
- Save the file "web.config"
- Restart the ADFS service
Figure 1: Enabling RelayState In ADFS v2.0
–
Enabling RelayState In ADFS v2.1 (ADFS In W2K12), ADFS v3.0 (ADFS In W2K12R2)
- Navigate to the folder "C:\Windows\ADFS"
- Open and Edit the file "Microsoft.IdentityServer.Servicehost.exe.config"
- Navigate to the section "<microsoft.identityServer.web>"
- Add the the line/entry: <useRelayStateForIdpInitiatedSignOn enabled="true" />
- Save the file "Microsoft.IdentityServer.Servicehost.exe.config"
- Restart the ADFS service
Figure 2: Enabling RelayState In ADFS v2.1, ADFS v3.0
–
Enabling RelayState In ADFS vNext
REMARK: Only when the ADFS Farm Level is higher than Win2012R2! (also see: (2014-10-12) Migrating Or Upgrading To A New ADFS Version)
- Open PowerShell Command Prompt Window
- Execute: Import-Module ADFS
- Execute: (Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled
- Execute: Set-ADFSProperties -EnableRelayStateForIdpInitiatedSignOn $true
- Execute: (Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled
- Restart the ADFS service
Figure 3: Enabling RelayState In ADFS vNext
–
More information:
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Techsnapshots said
why this is not enabled by default ? 🙂
LikeLike
Jorge said
I really have no idea. It could be considered as a feature that you need to enable specifically if you really needed, instead of having it enabled and not using it
LikeLike
(2014-10-24) Enabling IdP Initiated Sign-On In ADFS « Jorge's Quest For Knowledge! said
[…] In ADFS v2.0, ADFS v2.1 and ADFS v3.0 the IdP Initiated Sign On Page can be used by default and you do not need to do anything for it. It just works! However, if you also need to use RelayState, then also have a look at (2014-10-16) Enabling RelayState In ADFS Versions […]
LikeLike
sayliu said
Does office365 SAML2.0 support RelayState?
LikeLike
Jorge said
“Relay State” appears to be supported by Azure AD.
From the single sign-on node of an app:
Optionally, a SAML RelayState parameter can be provided. The RelayState instructs the application where to redirect users after authentication is completed, and the value is typically a URL or URL path that takes users to a specific location within the application
LikeLike