locked
AD FS Relying Party Endpoint Selection RRS feed

  • Question

  • I'm building an application that uses an AD FS 3.0 IdP initiated sign on to handle user authentication. We are mapping the claims in the SAML response to IAM roles in AWS to allow users access to an API Gateway instance that provides data for the application.

    We need to set up multiple endpoints for our relying party (Amazon Web Services) so multiple developers can use AD FS to sign into their respective development sites without having to write any development-specific code. I'm also aware that we could pass some RelayState to the application's SAML response handler to tell it where to redirect after sign on, but that would mean using one SAML handler for all development sites, which isn't ideal.

    I've added multiple endpoints to the relying party configuration, but I cannot determine how to select among the endpoints at sign on time. I take it there should be a URL parameter to specify the endpoint index AD FS should POST the SAML response to, but there seems to be a lack of documentation on how to do so.

    This piece of documentation leads me to believe such a thing is possible, as under the index section it states "The index can also be used to identify the endpoint in requests.":

    https://technet.microsoft.com/en-us/library/gg557753(v=ws.10).aspx

    There also seems to be reference to accomplishing this with SAML at this link, but the section that specifically addresses a SAML implementation doesn't contain any information:

    https://social.technet.microsoft.com/wiki/contents/articles/2305.ad-fs-2-0-how-to-utilize-a-single-relying-party-trust-for-multiple-web-applications-that-share-the-same-identifier.aspx

    Any help would be greatly appreciated.
    Wednesday, August 16, 2017 5:13 PM

All replies

  • I've been trying to find more information on this as well. Did you ever find a solution for this?
    Wednesday, December 6, 2017 9:41 PM