Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-10-24) Enabling IdP Initiated Sign-On In ADFS

Posted by Jorge on 2014-10-24


In ADFS v2.0, ADFS v2.1 and ADFS v3.0 the IdP Initiated Sign On Page can be used by default and you do not need to do anything for it. It just works! However, if you also need to use RelayState, then also have a look at (2014-10-16) Enabling RelayState In ADFS Versions

The URL of the IdP Initiated Sign On Page is: "https://<FQDN Of The Federation Service>/adfs/ls/IdPInitiatedSignOn.aspx"

image

Figure 1: The IdP Initiated Sign On Page In ADFS v2.0

image

Figure 2: The IdP Initiated Sign On Page In ADFS v3.0

image

Figure 3: The IdP Initiated Sign On Page In ADFS v4.0 (BEFORE Enabling It In The ADFS Properties)

In the Event Viewer (ADFS Admin Event Log) you will see:

image

Figure 4: Error In The ADFS Admin Event Log About The IdP Initiated Sign On Page

Encountered error during federation passive request.

Additional Data

Protocol Name:
 

Relying Party:
 

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, in ADFS v4.0 it looks as it by default is disabled! Checking the ADFS properties….

Yep, it is disabled by default in ADFS v4.0!

image

Figure 5: IdP Initiated Sign On Page Configured To Be Disabled In The ADFS Properties (=Default)

(Get-AdfsProperties).EnableIdPInitiatedSignonPage

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

(Get-AdfsProperties).EnableIdPInitiatedSignonPage

image

Figure 6: Enabling The IdP Initiated Sign On Page In The ADFS Properties Of ADFS v4.0

image

Figure 7: The IdP Initiated Sign On Page In ADFS v4.0 (AFTER Enabling It In The ADFS Properties)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

2 Responses to “(2014-10-24) Enabling IdP Initiated Sign-On In ADFS”

  1. Maybe write something about which protocols supports IdP Initiated Sign-On? SAML supports IdP, but WS federated SP doesn’t? Unless you use RelayState. Also, ADFS v4.0, meaning Windows Server Technical Preview (10)?

    • Jorge said

      you are correct in the statements you make about IdP initiated stuff.
      With ADFS v4.0 I do mean ADFS in Windows Server 10 Technical Preview

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: