Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘IdP-Initiated’ Category

(2019-11-24) Do You Really Need The IdP Initiated Sign On Page Enabled?

Posted by Jorge on 2019-11-24


Did you know, that if you navigate to https://<Your Federation Service FQDN>/adfs/ls/idpinitiatedsignon.aspx, and you see a page similar to the one below, that you have enabled the IdP initiated Sign Web Page in ADFS?

image

Figure 1: IdP Initiated Sign On Web Page In ADFS – ENABLED

If not mistaken, the IdP Initiated Sign On web page is disabled by default. There is NO NEED to enabled that web page to use IdP Initiated Sign On. You only need to enabled that webpage if you really want to use the web page! Why is this difference so important? Having the web page enabled, discloses all the SAML based applications that are connected to ADFS and you nay not want to do that.

To enable or disable it, please see (2014-10-24) Enabling IdP Initiated Sign-On In ADFS

If you see te following web page….

image

Figure 2: IdP Initiated Sign On Web Page In ADFS – DISABLED

image

Figure 3: Event In The ADFS Admin Event Log Regarding The IdP Initiated Sign On Web Page In ADFS Being Used While Disabled

Encountered error during federation passive request.

Additional Data

Protocol Name:
 

Relying Party:
 

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So how can you still use IdP Initiated Sign On?

You can use the following URL for IdP initiated Sign On: https://<Your Federation Service FQDN>/adfs/ls/idpinitiatedsignon.aspx?loginToRp=<Application Identifier>

Please be aware that the connected application MUST support IdP initiated Sign On for this to work. The identifier is an URI that may look like a URL or something else.

And here you can see IdP Initiated Sign On still works after disabling the IdP Initiated Sign On Page.

image

Figure 4: Using IdP Initiated Sign On Using The loginToRp Parameter

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Federation Services (ADFS), IdP-Initiated | Leave a Comment »

(2014-10-24) Enabling IdP Initiated Sign-On In ADFS

Posted by Jorge on 2014-10-24


In ADFS v2.0, ADFS v2.1 and ADFS v3.0 the IdP Initiated Sign On Page can be used by default and you do not need to do anything for it. It just works! However, if you also need to use RelayState, then also have a look at (2014-10-16) Enabling RelayState In ADFS Versions

The URL of the IdP Initiated Sign On Page is: "https://<FQDN Of The Federation Service>/adfs/ls/IdPInitiatedSignOn.aspx"

image

Figure 1: The IdP Initiated Sign On Page In ADFS v2.0

image

Figure 2: The IdP Initiated Sign On Page In ADFS v3.0

image

Figure 3: The IdP Initiated Sign On Page In ADFS v4.0 (BEFORE Enabling It In The ADFS Properties)

In the Event Viewer (ADFS Admin Event Log) you will see:

image

Figure 4: Error In The ADFS Admin Event Log About The IdP Initiated Sign On Page

Encountered error during federation passive request.

Additional Data

Protocol Name:
 

Relying Party:
 

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, in ADFS v4.0 it looks as it by default is disabled! Checking the ADFS properties….

Yep, it is disabled by default in ADFS v4.0!

image

Figure 5: IdP Initiated Sign On Page Configured To Be Disabled In The ADFS Properties (=Default)

(Get-AdfsProperties).EnableIdPInitiatedSignonPage

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

(Get-AdfsProperties).EnableIdPInitiatedSignonPage

image

Figure 6: Enabling The IdP Initiated Sign On Page In The ADFS Properties Of ADFS v4.0

image

Figure 7: The IdP Initiated Sign On Page In ADFS v4.0 (AFTER Enabling It In The ADFS Properties)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), IdP-Initiated | 2 Comments »

(2014-10-16) Enabling RelayState In ADFS Versions

Posted by Jorge on 2014-10-16


RelayState is a parameter of the SAML federation protocol that is used to identify the specific target resource the user will access after they are signed in and directed to the relying party’s federation server.

Except for ADFS v1.0 and ADFS v1.1, and starting with ADFS v2.0 (after installing RollUp 2) and higher, the RelayState parameter is supported!

Enabling RelayState In ADFS v2.0

REMARK: make sure to have RollUp 2 installed!

  • Navigate to the folder "C:\inetpub\adfs\ls"
  • Open and Edit the file "web.config"
  • Navigate to the section "<microsoft.identityServer.web>"
  • Add the the line/entry: <useRelayStateForIdpInitiatedSignOn enabled="true" />
  • Save the file "web.config"
  • Restart the ADFS service

image

Figure 1: Enabling RelayState In ADFS v2.0

Enabling RelayState In ADFS v2.1 (ADFS In W2K12), ADFS v3.0 (ADFS In W2K12R2)

  • Navigate to the folder "C:\Windows\ADFS"
  • Open and Edit the file "Microsoft.IdentityServer.Servicehost.exe.config"
  • Navigate to the section "<microsoft.identityServer.web>"
  • Add the the line/entry: <useRelayStateForIdpInitiatedSignOn enabled="true" />
  • Save the file "Microsoft.IdentityServer.Servicehost.exe.config"
  • Restart the ADFS service

image

Figure 2: Enabling RelayState In ADFS v2.1, ADFS v3.0

Enabling RelayState In ADFS vNext

REMARK: Only when the ADFS Farm Level is higher than Win2012R2! (also see: (2014-10-12) Migrating Or Upgrading To A New ADFS Version)

  • Open PowerShell Command Prompt Window
  • Execute: Import-Module ADFS
  • Execute: (Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled
  • Execute: Set-ADFSProperties -EnableRelayStateForIdpInitiatedSignOn $true
  • Execute: (Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled
  • Restart the ADFS service

image

Figure 3: Enabling RelayState In ADFS vNext

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), IdP-Initiated, RelayState | 5 Comments »

 
%d bloggers like this: