locked
Is there information on configuring IDP initiated SSO on ADFS 3.0 ? RRS feed

  • Question

  • Hi,

    I have Windows 2012 R2 -- ADFS 3.0 installed.  I was wondering if there are any documentation concerning configuring for IDP intitiated SSO. 

    The ADFS 2.0 discuss changing webconfig file, after applying ADFS Rollup 2.  According to the link below:

    http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx

    But ADFS 3.0 no longer install IIS.  So do I just need to make the changes at the login page ?

    Thanks,

    Mark

    Thursday, October 9, 2014 7:39 PM

Answers

  • like in adfs v2 you need to enable relaystate in adfs v3. The config for adfs v3 is exactly the same as in adfs v2 and also in the same file. However, the file is in a different location. see below...

    AD FS in Windows Server 2012 R2 includes a %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config file. Create an element with the same syntax as the web.config file element: <useRelayStateForIdpInitiatedSignOn enabled="true" />. Include this element as part of <microsoft.identityserver.web> section of the Microsoft.IdentityServer.Servicehost.exe.config file.


    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by marknguy Thursday, October 9, 2014 11:21 PM
    Thursday, October 9, 2014 9:05 PM

All replies

  • like in adfs v2 you need to enable relaystate in adfs v3. The config for adfs v3 is exactly the same as in adfs v2 and also in the same file. However, the file is in a different location. see below...

    AD FS in Windows Server 2012 R2 includes a %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config file. Create an element with the same syntax as the web.config file element: <useRelayStateForIdpInitiatedSignOn enabled="true" />. Include this element as part of <microsoft.identityserver.web> section of the Microsoft.IdentityServer.Servicehost.exe.config file.


    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by marknguy Thursday, October 9, 2014 11:21 PM
    Thursday, October 9, 2014 9:05 PM
  • Thanks Jorge!
    Thursday, October 9, 2014 11:22 PM
  • Hi Jorge,

    I made the changes that you outlined in my Windows Server 2012 R2 with ADFS 3.0 setup. However, I tried an IDP initiated login and it did not work. I restarted the "Active Directory Federation Services" service and tried again, but it still fails. Lastly, I rebooted the server and tried once again, but I still do not see the RelayState parameter being appended when I attempt to use IDP initiated login.

    Using SP initiated login works perfectly fine every time, so I know that ADFS is able to auth my user and that communication with the relying party is good.

    I found the RelayState URL generator, but out of all the resources I have looked up online none of them tell me where to add this URL. Do I need to install the IIS rewrite URL module and manually rewrite it to contain the RelayState parameter?

    Friday, January 22, 2016 10:46 PM
  • @Jorge has a good post:

    Enabling RelayState In ADFS Versions.

    All you need to do is add the line to the web.config and restart the ADFS service.

    The parameters are described here:

    ADFS : SAML redirect to application via relayState and loginToRp.

    Sunday, January 24, 2016 6:02 PM
  • Thank you for the prompt replay, Jorge!

    I know I am very close to getting things working, but as it stands I still cannot get IDP initiated sign on to work when selecting the application from the /adfs/ls/idpinitiatedsignon.htm page. 

    Here is what I have done so far:

    1. Added <useRelayStateForIdpInitiatedSignOn enabled="true" /> to the Microsoft.IdentityServer.Servicehost.exe.config file.
    2. Restarted the ADFS service.
    3. Added a Relying Party Trust by importing an .xml file containing the RP's metadata.
    4. Setup two claims rules. One sends email from LDAP attribute and the other transforms the incoming email claim into Name ID.
    5. Browse to the ADFS page: https://bjn-adfs-r2.bjnsupport.local/adfs/ls/idpinitiatedsignon.htm
    6. Select the RP and sign in, but I receive a login error.
    7. Using the SAML Tracer plugin in Firefox I can see that the RelayState is not being appended to the POST binding to the RP.
    8. However, if I copy and paste the following URL directly into my browser I can successfully login: https://bjn-adfs-r2.bjnsupport.local/adfs/ls/idpinitiatedsignon.htm?RelayState=RPID%3Dhttp%253A%252F%252Fsamlsp.bluejeans.com%26RelayState%3DeyJtb2RlIjoiYXV0aCIsImdyb3VwIjoxNjA5fQ%253D%253D

    So, if the URL in step #8 works, then where can I put this URL in my configuration on the ADFS server?

    Two things I tried out of sheer desperation were:

    • In the Identifiers tab I replaced the Relying party identifier URL with the URL in step #8. This did not work.
    • In the Endpoints tab I removed the existing SAML Assertion Consumer POST binding and created a new one using the URL in step #8. This did work either.
    • Lastly, I removed POST binding and created a redirect using the URL in step #8. This also did not work.

    What am I missing?

    Tuesday, January 26, 2016 11:39 PM
  • the URL in step 8 is the URL that should be used by the user in the browser, and not by ADFS.

    After enabling Relaystate, you can use the URL in step 8 which contains all the information for all STS'es in your path to know what to do and redirect the user correctly without performing home realm discovery along the way.

    If you are using ADFSv3 and the path is:

    USER ----- ADFS ----- APP

    then you probably can use an URL that is easier and shorter


    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Wednesday, January 27, 2016 6:55 AM
  • I guess my understanding of how ADFS is supposed to work is incorrect then. I was under the impression that the user would browse to the ADFS IDP initiated sign on page, select the application that they want to login to, then ADFS would perform authentication and append the RelayState to the URL "behind the scenes", before redirecting the user to the application. It doesn't seem right that the user needs to enter the encoded URL directly into their browser. Do most people create a custom portal with the encoded URL as a link to the application?
    Wednesday, January 27, 2016 2:39 PM
  • why should you care about that URL if it can be published on some portal/site or in some favorite/bookmark?

    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Wednesday, January 27, 2016 6:50 PM
  • Hi Jorge,

    That's where I have been mistaken all along. I wrongly assumed that a user would browse to the ADFS site, select the RP from the drop-down menu, and login to the application of their choice. 

    However, if I am not mistaken (again), what I am reading now is that we should create our own portal/site with the applications listed. We can then configure the URL's of those applications using the correctly encoded URL that contains the RelayState etc. Is that correct?

    Wednesday, January 27, 2016 7:42 PM
  • When you said "but I receive a login error" was this on the application or ADFS?

    If ADFS, anything in the ADFS event log?

    Otherwise, what is the error?

    The RP is configured as a SAML RP?

    The SAML Assertion Consumer Endpoint for that RP is correct? This should point to code that can decode the token.

    There are only SAML endpoints?

    Are you using a SAML library for the RP?

    Selecting the RP from the ADFS IDPInitiated page works and does not send a RelayState. 

    The reason for the two use cases is that selecting the RP from the dropdown is for when you authenticate against AD.

    Using RelayState is normally when you authenticate against another IDP and then redirect to ADFS. ADFS sees the token so knows that the user is authenticated and uses the RPID etc. to seamlessly redirect to the RP.

    So yes, you are correct in assuming " that a user would browse to the ADFS site, select the RP from the drop-down menu, and login to the application of their choice" The authentication will be against AD.

    No, you should not create your own portal.

    Wednesday, January 27, 2016 10:58 PM

    The RP is configured as a SAML RP. When configuring it I imported the following metadata: https://bluejeans.com/support/saml-metadata.xml

    I know that the RP & corresponding claims are configured correctly because SP initiated login works when I sign in to my app from https://stumin.bluejeans.com

    When doing IDP initiated login I browse to: https://bjn-adfs-r2.bjnsupport.local/adfs/ls/idpinitiatedsignon.htm

    Upon selecting the RP and using my credentials to login I receive an "HTTP ERROR: 401 - Problem accessing /sso/saml2/. Reason: Unauthorized" from the endpoint: https://bluejeans.com/sso/saml2/

    The reason I am receiving this 401 error is because when I attempt an IDP initiated login the POST does not contain the RelayState parameter. 
    I have been using the SAML Tracer utility in Firefox to log the activity. When doing SP initiated login I see the following SAML parameters in the POST: http://pastebin.com/jSYYwLt3

    When attempting an IDP initiated login the RelayState parameter is missing: http://pastebin.com/jThbpsm4

    Using a SAML decoder utility I can see that in SP & IDP initiated POST the SAMLResponse is sending the same information, which is good, but what I am struggling to resolve is why the IDP initiated POST does not contain the RelayState parameter despite having configured the Microsoft.IdentityServer.Servicehost.exe.config per your previous instructions. 

    I see one warning in the ADFS Event Log and that is related to Device Registration Service, which is curently not running on my server. If I right click on it all of the options to start, restart, and stop the service are grayed out. Here is the full error message: http://pastebin.com/h4Hebx5g

    My setup consists of a single Windows Server 2012 R2 server running AD & ADFS, which is configured to talk the SAML RP mentioned above.

    Thursday, January 28, 2016 12:25 AM
  • Could you also elaborate on the following statement please?

    Selecting the RP from the ADFS IDPInitiated page works and does not send a RelayState.

    This is currently not working for me. Will this method of logging in never send the RelayState with the POST? When we use another service, e.g. Okta, IDP initiated login works and we always see the RelayState in the SAML Tracer logs. It is only with ADFS that we are experiencing issues with IDP initiated login.

    If you like, I can set you up with a test enterprise account for you to configure your ADFS instance to do SSO with Blue Jeans?



    • Edited by StuartTM Thursday, January 28, 2016 12:56 AM typo
    Thursday, January 28, 2016 12:54 AM
  • "Will this method of logging in never send the RelayState with the POST?"

    Yes - I believe so.

    RelayState is not a mandatory parameter so while it would be nice for ADFS to include it, it is not an error.

    The spec. says RelayState MAY be included for all three bindings (Post, Redirect, Artifact resolution).

    You have two choices:

    • Modify the RP so it no longer requires RelayState.
    • Use the long URL.
    Thursday, January 28, 2016 6:00 PM
  • Thank you, nzpcmad1. Interesting that the spec says this, as it certainly seems to be the case. However, I was really hoping that adding the line below to the config file would force it to use the RelayState parameter regardless. <useRelayStateForIdpInitiatedSignOn enabled="true" />
    Friday, January 29, 2016 2:41 AM