(2014-10-24) Enabling IdP Initiated Sign-On In ADFS
Posted by Jorge on 2014-10-24
In ADFS v2.0, ADFS v2.1 and ADFS v3.0 the IdP Initiated Sign On Page can be used by default and you do not need to do anything for it. It just works! However, if you also need to use RelayState, then also have a look at (2014-10-16) Enabling RelayState In ADFS Versions
The URL of the IdP Initiated Sign On Page is: "https://<FQDN Of The Federation Service>/adfs/ls/IdPInitiatedSignOn.aspx"
–
Figure 1: The IdP Initiated Sign On Page In ADFS v2.0
–
Figure 2: The IdP Initiated Sign On Page In ADFS v3.0
–
Figure 3: The IdP Initiated Sign On Page In ADFS v4.0 (BEFORE Enabling It In The ADFS Properties)
–
In the Event Viewer (ADFS Admin Event Log) you will see:
Figure 4: Error In The ADFS Admin Event Log About The IdP Initiated Sign On Page
–
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
–
So, in ADFS v4.0 it looks as it by default is disabled! Checking the ADFS properties….
Yep, it is disabled by default in ADFS v4.0!
Figure 5: IdP Initiated Sign On Page Configured To Be Disabled In The ADFS Properties (=Default)
–
(Get-AdfsProperties).EnableIdPInitiatedSignonPage
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
(Get-AdfsProperties).EnableIdPInitiatedSignonPage
Figure 6: Enabling The IdP Initiated Sign On Page In The ADFS Properties Of ADFS v4.0
–
Figure 7: The IdP Initiated Sign On Page In ADFS v4.0 (AFTER Enabling It In The ADFS Properties)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Roy Apalnes said
Maybe write something about which protocols supports IdP Initiated Sign-On? SAML supports IdP, but WS federated SP doesn’t? Unless you use RelayState. Also, ADFS v4.0, meaning Windows Server Technical Preview (10)?
LikeLike
Jorge said
you are correct in the statements you make about IdP initiated stuff.
With ADFS v4.0 I do mean ADFS in Windows Server 10 Technical Preview
LikeLike