Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-10-24) Enabling IdP Initiated Sign-On In ADFS

Posted by Jorge on 2014-10-24

In ADFS v2.0, ADFS v2.1 and ADFS v3.0 the IdP Initiated Sign On Page can be used by default and you do not need to do anything for it. It just works! However, if you also need to use RelayState, then also have a look at (2014-10-16) Enabling RelayState In ADFS Versions

The URL of the IdP Initiated Sign On Page is: "https://<FQDN Of The Federation Service>/adfs/ls/IdPInitiatedSignOn.aspx"


Figure 1: The IdP Initiated Sign On Page In ADFS v2.0


Figure 2: The IdP Initiated Sign On Page In ADFS v3.0


Figure 3: The IdP Initiated Sign On Page In ADFS v4.0 (BEFORE Enabling It In The ADFS Properties)

In the Event Viewer (ADFS Admin Event Log) you will see:


Figure 4: Error In The ADFS Admin Event Log About The IdP Initiated Sign On Page

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, in ADFS v4.0 it looks as it by default is disabled! Checking the ADFS properties….

Yep, it is disabled by default in ADFS v4.0!


Figure 5: IdP Initiated Sign On Page Configured To Be Disabled In The ADFS Properties (=Default)


Set-AdfsProperties -EnableIdPInitiatedSignonPage $true



Figure 6: Enabling The IdP Initiated Sign On Page In The ADFS Properties Of ADFS v4.0


Figure 7: The IdP Initiated Sign On Page In ADFS v4.0 (AFTER Enabling It In The ADFS Properties)

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


2 Responses to “(2014-10-24) Enabling IdP Initiated Sign-On In ADFS”

  1. Maybe write something about which protocols supports IdP Initiated Sign-On? SAML supports IdP, but WS federated SP doesn’t? Unless you use RelayState. Also, ADFS v4.0, meaning Windows Server Technical Preview (10)?

    • Jorge said

      you are correct in the statements you make about IdP initiated stuff.
      With ADFS v4.0 I do mean ADFS in Windows Server 10 Technical Preview

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: