locked
ADFS 2.0 providing an IdP-Initiated SSO for a SAML 2.0 Application RRS feed

  • Question

  • Hi,

      I  have configured ADFS 2.0 to work with an application vendor that only accepts IdP-Initiated SSO using SAML 2.0; they do not send a SAMLRequest.

      When the user goes to the Application page...

    1. they are redirected to https://adfs-server/adfs/ls/IdpInitiatedSignOn.aspx?SAMLRequest=&RelayState=application-url
    2. first thing is they have to choose the application (how can i stop this from happening, and direct them directly to the login screen)
    3. once logged in, they are redirected correctly to the application page and are logged in to the application
    4. After closing the IE session and going again to the same appilcation page, steps 1 - 3 are repeated (how can I get SSO to work so they don't need to login again).

      The application vendor say they do not provide a SAMLRequest to start and expect the ADFS server to do the IdP initiation login directly, so ADFS is suppose to understand the SSO cookie and login the user directly.


    Hany Elkady

    Infrastructure Consultant

    Friday, April 12, 2013 6:11 AM

Answers

  • Hmm not, closing the browser kills the ADFS auth cookies so you should relog again if you want to access your application again. Only option to go around this is letting the external clients create a VPN session.

    From the internal aspect the same thing happens but if you configure ADFS & Split DNS correctly it silently logs in with Windows Intergrated Auth(don't forget to put the ADFS url in the trusted intranet zone and enable Intergrated Authentication in the IE settings!) without requiring user interaction(SSO).


    Find me on linkedin: http://nl.linkedin.com/in/tranet


    • Edited by Robin Gaal Monday, April 15, 2013 2:04 PM
    • Marked as answer by Pheroah Monday, May 6, 2013 3:39 AM
    Monday, April 15, 2013 2:03 PM
  • You can find information on IdP-initiated sign-on using relaystate in the link below

    http://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-relaystate-in-adfs-2-0/

    While I use the examples of a third-party IdP, the concepts still apply to AD FS in an IDP role.. there's a relay state generator on codeplex to help you build the appropriate encodings..

    https://adfsrelaystate.codeplex.com

    Regards,

    Mylo 

    • Marked as answer by Pheroah Monday, May 6, 2013 3:40 AM
    Friday, April 12, 2013 11:31 AM

All replies

  • You can find information on IdP-initiated sign-on using relaystate in the link below

    http://blog.auth360.net/2012/12/16/saml-2-0-idp-initiated-sign-on-with-relaystate-in-adfs-2-0/

    While I use the examples of a third-party IdP, the concepts still apply to AD FS in an IDP role.. there's a relay state generator on codeplex to help you build the appropriate encodings..

    https://adfsrelaystate.codeplex.com

    Regards,

    Mylo 

    • Marked as answer by Pheroah Monday, May 6, 2013 3:40 AM
    Friday, April 12, 2013 11:31 AM
  • Hi Mylo, Thanks for your response. I tried the suggestion in the blog (adding <useRelayStateForIdpInitiatedSignOn enabled=”true” />) to the web.conf file; but as soon as I did an iisreset, and tried toaccess the page again, all I get is an internal error 500 .. and no log in the ADFS event log :(

    Hany Elkady

    Infrastructure Consultant

    Saturday, April 13, 2013 11:22 AM
  • Hi Hany,

    Have you loaded Rollup 2 (RU2) on the AD FS Proxy and Farm nodes?

    Regards,

    Mylo

    Saturday, April 13, 2013 12:45 PM
  • Yes, I had, and I just tried with RU3 which was mentioned on the site and I got the exact same result.

    I don't know if this would be relevant .. but I have an ADFS 2.0 proxy on the edge network, and the ADFS 2.0 server in my internal network connected to the domain. The application is external on the web; and the authentication works perfectly fine, it is just the matter of retaining the authentication for future sessions.

    I have talked with the application vendor who say they have nothing to do with the SSO and they process whatever claim they get from the ADFS server since they do not initiate the IdP and are not acting as a SP.


    Hany Elkady

    Infrastructure Consultant

    Saturday, April 13, 2013 1:04 PM
  • Hany,

    You'll need to restart the AD FS services on all nodes as well.

    Regards,

    Mylo

    Saturday, April 13, 2013 9:38 PM
  • I have done that, even rebooted the server. Do I need to change anything else in the ADFS config or in the web.config file ?

    Hany Elkady

    Infrastructure Consultant

    Saturday, April 13, 2013 10:54 PM
  • Hi Hany,

    Did you enable it in the web.config on the back-end AD FS farm as well?

    Regards,

    Mylo

    Sunday, April 14, 2013 6:47 PM
  • I only enabled it on the Backend; do I need to do this on the proxy as well ? I thought the proxy only sent requests across and had no part in the actual processing of the request

    Hany Elkady

    Infrastructure Consultant

    Sunday, April 14, 2013 10:06 PM
  • Hi Mylo ... a quick update ... solved the 500 issue (I was copy/pasting from the forum which changed the quotes from the standard " to the fancy word style quotes which XML doesn't like).

    No I am back to square one; still that did not fix the issue. The user has to still log-in everytime they open the page .. the SSO only works if the IE has not been completely closed and reopened again.

    Any ideas ?


    Hany Elkady

    Infrastructure Consultant

    Sunday, April 14, 2013 11:09 PM
  • Hi Pheroah,

    1. Is the ADFS proxy involved in the testcase you described?

    2. Is the testcase driven from a domain logon onto the testmachine in the same domain as the ADFS farm?


    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Monday, April 15, 2013 7:36 AM
  • Hi Robin, Yes and Yes The scenario is: third party app --> Internet --> ADFS Proxy --> ADFS Server I have tested from domain joined and non-joined; internet connected and internal; all have the same effect SSO does not happen. I have also debugged the traffc and can see the browser sending the cookie to the ADFS server; somehow the server still asks the user to login :(

    Hany Elkady

    Infrastructure Consultant

    Monday, April 15, 2013 7:52 AM
  • If you remove the ADFS proxy in the internal scenario you should reveive SSO based on Windows Intergrated Authentication. To test this you could change the hostfile on the testmachine to point directly to your ADFS server instead of the ADFS proxy.

    A lot of customers use a split-dns setup for such scenario's: internally the sts.yourcompany.com url points directly to the ADFS servers for Windows Intergrated SSO and from the internet sts.yourcompany.com points to the ADFS proxy server for form based authentication.


    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Monday, April 15, 2013 9:04 AM
  • I will test this when I am inside the network. But how do I fix it for external connected machines?

    Hany Elkady

    Infrastructure Consultant

    Monday, April 15, 2013 11:41 AM
  • Hmm not, closing the browser kills the ADFS auth cookies so you should relog again if you want to access your application again. Only option to go around this is letting the external clients create a VPN session.

    From the internal aspect the same thing happens but if you configure ADFS & Split DNS correctly it silently logs in with Windows Intergrated Auth(don't forget to put the ADFS url in the trusted intranet zone and enable Intergrated Authentication in the IE settings!) without requiring user interaction(SSO).


    Find me on linkedin: http://nl.linkedin.com/in/tranet


    • Edited by Robin Gaal Monday, April 15, 2013 2:04 PM
    • Marked as answer by Pheroah Monday, May 6, 2013 3:39 AM
    Monday, April 15, 2013 2:03 PM
  • Hi, some more feedback ... I have checked the DNS configuration, and have added the ADFS link to the "Local Intranet" list but still getting no SSO to work :(

    Another strange thing is every few weeks the ADFS service suddenly decides to shutdown with no intervention; all I get is an event ID 103 (ADFS Service Shutdown successfully)

    Any ideas ? Anyone ???


    Hany Elkady

    Infrastructure Consultant

    Wednesday, April 24, 2013 12:07 AM
  • Hi Hany,

    You'll always have to login via the AD FS proxy from a non-domain joined machine, but domain-joined PCs should be able to logon silently using their Windows logon ticket. If we omit the relying party from the request and you simply call idpinitiatedsignon.aspx from a domain-joined PC, e.g. https://foo.mydomain.com/adfs/ls/idpinitiatedsignon.aspx and elect to sign-on, do you still get the prompt?

    Also, are you using IE or another browser?

    Regards,

    Mylo

    Thursday, April 25, 2013 9:51 PM
  • I am running all tests from domain joined machines; just internal network and external network connections.

    I am using IE although I have tried Firefox too. And all settings are correct on IE.

    I have tried as suggested above to change the redirect URL to the one given by https://adfsrelaystate.codeplex.com

    This has taken the user directly to the login page and bypassed the choice of the relaystate. However, this has caused another issue; when the user now logs in, they are taken to an incorrect URL.

    The strange thing is, when I use the URL that was directly given by the software, it works. But, when I use it in the application, the URL returned after successful login has an extra ,RelayName added to it which causes a 404 error.

    i.e. if I use the URL directly I am sent back to https://app.thirdparty.com/test ; however if I started from the application URL and got redirected to adfs; on the way back the user is sent back to https://app.thirdparty.com/test,/test/default.aspx


    Hany Elkady

    Infrastructure Consultant

    Thursday, April 25, 2013 11:19 PM
  • Can you do a SAML trace of the logon process using an example that works (directly given by the software) and one that does not with the extra naming? You can use SAML Tracer (Firefox) to do the debugging ...  please post your results back

    Regards,

    Mylo

    Friday, April 26, 2013 6:30 PM
  • Hi Mylo ... a quick update ... solved the 500 issue (I was copy/pasting from the forum which changed the quotes from the standard " to the fancy word style quotes which XML doesn't like).

    ~snip~

    Hany Elkady

    Infrastructure Consultant

    A very BIG THANK YOU for posting your solution to server error 500!

    This was driving me crazy. It's obvious looking at the quotes now and seeing how different they are when you copy and paste but was easily missed too.

    I changed them to standard quotes and now my IDP SSO with relaystate works perfectly.

    Thank you again

    Piley


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

    Tuesday, June 11, 2013 10:06 AM
  • Hi Piley,

    Glad to hear it's working for you!

    Regards,

    Mylo

    Tuesday, June 11, 2013 10:55 AM
  • Hany,

    I had a similar issue and did not want the user to have a double prompt for authentication. I'm utilizing ADFS 3.0, but the process is the same. Of course I also have multiple Domain to authenticate from, thus I use the Home Realm Discovery page via Win Server 2012 R2 and the Web Application Proxy (WAP). But again the process is straight forward and easy to resolve.

    Within your Relying party trust you should have an identifier for the endpoint or the assertion Consumer Service such as https://foobar.domain.com/samlsps/acs this will be within your Relying Party Trust under Identifiers tab. What I utilized to get rid of the IdpIntiatedSignOn.aspx page asking you to select the SAML application from the drop down is to add your identifier from your relying party trust.

    Keep in mind you only want RelayState in the URL if the IDP has activated the RelayState, either way you should be able to control this within your SAML application for the IdpInitiatedSignOn pointer to your SingleSignOn URL, either within the config, SAML settings on the Client, such as your web.config file.

    Thus all you do is add loginToRp to your ADFS IdpInitiatedSignOn URL such as:

    https://adfs-server/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://foobar.domain.com/samlsps/acs

    If you are using pre-authentication through HRD page or ADS as the login interface, you append the assertion consumer service endpoint to your IdpInitiatedSignOn for ADFS as I did above, again it is the SAML Assertion Consumer Service URL for your Client Application that does not support SP Initiated sign on, only supports a IdpInitiatedSignOn to generate the SAML Request Token and Response.

    Regards

    Nasakoder

    Michael Scott Bass MNCM, MISM, MCAP
    Senior Cloud Infrastructure Engineer/Lead
    Kennedy Space Center | NASA

    Thursday, May 12, 2016 12:02 AM