(2019-11-24) Do You Really Need The IdP Initiated Sign On Page Enabled?
Posted by Jorge on 2019-11-24
Did you know, that if you navigate to https://<Your Federation Service FQDN>/adfs/ls/idpinitiatedsignon.aspx, and you see a page similar to the one below, that you have enabled the IdP initiated Sign Web Page in ADFS?
Figure 1: IdP Initiated Sign On Web Page In ADFS – ENABLED
–
If not mistaken, the IdP Initiated Sign On web page is disabled by default. There is NO NEED to enabled that web page to use IdP Initiated Sign On. You only need to enabled that webpage if you really want to use the web page! Why is this difference so important? Having the web page enabled, discloses all the SAML based applications that are connected to ADFS and you nay not want to do that.
To enable or disable it, please see (2014-10-24) Enabling IdP Initiated Sign-On In ADFS
–
If you see te following web page….
Figure 2: IdP Initiated Sign On Web Page In ADFS – DISABLED
–
–
Figure 3: Event In The ADFS Admin Event Log Regarding The IdP Initiated Sign On Web Page In ADFS Being Used While Disabled
–
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
–
So how can you still use IdP Initiated Sign On?
You can use the following URL for IdP initiated Sign On: https://<Your Federation Service FQDN>/adfs/ls/idpinitiatedsignon.aspx?loginToRp=<Application Identifier>
Please be aware that the connected application MUST support IdP initiated Sign On for this to work. The identifier is an URI that may look like a URL or something else.
–
And here you can see IdP Initiated Sign On still works after disabling the IdP Initiated Sign On Page.
Figure 4: Using IdP Initiated Sign On Using The loginToRp Parameter
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-
Jorge's Quest For Knowledge! 
Leave a Reply