Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘IdP-Initiated’ Category

(2014-10-24) Enabling IdP Initiated Sign-On In ADFS

Posted by Jorge on 2014-10-24


In ADFS v2.0, ADFS v2.1 and ADFS v3.0 the IdP Initiated Sign On Page can be used by default and you do not need to do anything for it. It just works! However, if you also need to use RelayState, then also have a look at (2014-10-16) Enabling RelayState In ADFS Versions

The URL of the IdP Initiated Sign On Page is: "https://<FQDN Of The Federation Service>/adfs/ls/IdPInitiatedSignOn.aspx"

image

Figure 1: The IdP Initiated Sign On Page In ADFS v2.0

image

Figure 2: The IdP Initiated Sign On Page In ADFS v3.0

image

Figure 3: The IdP Initiated Sign On Page In ADFS v4.0 (BEFORE Enabling It In The ADFS Properties)

In the Event Viewer (ADFS Admin Event Log) you will see:

image

Figure 4: Error In The ADFS Admin Event Log About The IdP Initiated Sign On Page

Encountered error during federation passive request.

Additional Data

Protocol Name:
 

Relying Party:
 

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, in ADFS v4.0 it looks as it by default is disabled! Checking the ADFS properties….

Yep, it is disabled by default in ADFS v4.0!

image

Figure 5: IdP Initiated Sign On Page Configured To Be Disabled In The ADFS Properties (=Default)

(Get-AdfsProperties).EnableIdPInitiatedSignonPage

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

(Get-AdfsProperties).EnableIdPInitiatedSignonPage

image

Figure 6: Enabling The IdP Initiated Sign On Page In The ADFS Properties Of ADFS v4.0

image

Figure 7: The IdP Initiated Sign On Page In ADFS v4.0 (AFTER Enabling It In The ADFS Properties)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), IdP-Initiated | 2 Comments »

(2014-10-16) Enabling RelayState In ADFS Versions

Posted by Jorge on 2014-10-16


RelayState is a parameter of the SAML federation protocol that is used to identify the specific target resource the user will access after they are signed in and directed to the relying party’s federation server.

Except for ADFS v1.0 and ADFS v1.1, and starting with ADFS v2.0 (after installing RollUp 2) and higher, the RelayState parameter is supported!

Enabling RelayState In ADFS v2.0

REMARK: make sure to have RollUp 2 installed!

  • Navigate to the folder "C:\inetpub\adfs\ls"
  • Open and Edit the file "web.config"
  • Navigate to the section "<microsoft.identityServer.web>"
  • Add the the line/entry: <useRelayStateForIdpInitiatedSignOn enabled="true" />
  • Save the file "web.config"
  • Restart the ADFS service

image

Figure 1: Enabling RelayState In ADFS v2.0

Enabling RelayState In ADFS v2.1 (ADFS In W2K12), ADFS v3.0 (ADFS In W2K12R2)

  • Navigate to the folder "C:\Windows\ADFS"
  • Open and Edit the file "Microsoft.IdentityServer.Servicehost.exe.config"
  • Navigate to the section "<microsoft.identityServer.web>"
  • Add the the line/entry: <useRelayStateForIdpInitiatedSignOn enabled="true" />
  • Save the file "Microsoft.IdentityServer.Servicehost.exe.config"
  • Restart the ADFS service

image

Figure 2: Enabling RelayState In ADFS v2.1, ADFS v3.0

Enabling RelayState In ADFS vNext

REMARK: Only when the ADFS Farm Level is higher than Win2012R2! (also see: (2014-10-12) Migrating Or Upgrading To A New ADFS Version)

  • Open PowerShell Command Prompt Window
  • Execute: Import-Module ADFS
  • Execute: (Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled
  • Execute: Set-ADFSProperties -EnableRelayStateForIdpInitiatedSignOn $true
  • Execute: (Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled
  • Restart the ADFS service

image

Figure 3: Enabling RelayState In ADFS vNext

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), IdP-Initiated, RelayState | 3 Comments »

 
%d bloggers like this: