ADFS, IdP initiated SAML post issue

Question

We have a claims-aware .net application. We have two clients with their own Active Directories who want to access the app. One client uses ADFS, which is set up as Claims Provider in our ADFS. Their access works like a charm. Now, the second client doesn't use ADFS. They want to do an unsolicited POST to our ADFS with SAML token that they will compose. We set them up as another Claims Provider. They POST their SAML to https://ouradfsserver/adfs/ls/IdPInitiatedSignon.aspx. We're at the point where the server says "You're logged in" and asks them to select an application from a drop down (there is only one). When they do, ADFS attempts to redirect to Identity Provider again to identify the user, which is not possible, because there is no end point available to query. Has anybody seen this issue or have experience with this type of arrangement? As I see it, either ADFS doesn't parse the SAML token properly and create a security context for the application, or it doesn't know how to properly redirect to the app. Any pointers would be really appreciated!

Answer 1

You need to enable the RelayState in order to pass the authentication context while using IDP initiated SSO in ADFS.

Please refer to the below link for understanding RelayState:

https://technet.microsoft.com/en-us/library/jj127245%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

And refer to this post for instructions to enable relay state:

https://jorgequestforknowledge.wordpress.com/2014/10/16/enabling-relaystate-in-adfs-versions/ (for all ADFS versions)

Did you you noticed any errors in the event log? Have a look at this article for further details: https://jorgequestforknowledge.wordpress.com/2014/10/24/enabling-idp-initiated-sign-on-in-adfs/