none
IDP Initiated Sign-on to SAML SP using SAML IDP

Answers

  • IDPInitiated to ADFS means you want to authenticate using AD.

    It sounds like you need IDPInitiated on your IDP?

    You'd have to find out if your IDP supports it and what the URL is.

    Refer : AD FS 2.0 RelayState.

    i.e. this use case:

    Identity provider security token server (STS) -> relying party STS (configured as a SAML-P endpoint) -> SAML relying party App

    • Marked as answer by Rob M Wednesday, January 13, 2016 2:41 PM
    Tuesday, January 05, 2016 7:27 PM
    Moderator

All replies

  • The URL is normally:

    https://corporate.adfs.com/adfs/ls/idpinitiatedsignon.aspx

    That should bring up a login screen with a dropdown of SAML applications - one of which should be:

    https://service.provider.com

    IDPInitiated is a SAML concept, not applicable to WS-Fed.

     

    Tuesday, January 05, 2016 5:53 PM
    Moderator
  • Hi nzpcmad1,

    I appreciate the reply.  I should have specified, im going for a non-interactive login flow.  If the user clicks the link im asking for help creating, they should not be prompted/presented with any screens from ADFS.

    Thanks,

    -Rob

    Tuesday, January 05, 2016 6:50 PM
  • IDPInitiated to ADFS means you want to authenticate using AD.

    It sounds like you need IDPInitiated on your IDP?

    You'd have to find out if your IDP supports it and what the URL is.

    Refer : AD FS 2.0 RelayState.

    i.e. this use case:

    Identity provider security token server (STS) -> relying party STS (configured as a SAML-P endpoint) -> SAML relying party App

    • Marked as answer by Rob M Wednesday, January 13, 2016 2:41 PM
    Tuesday, January 05, 2016 7:27 PM
    Moderator
  • Going through my IDP doesn't seem possible as the configurations within it only allow me to set it up to federate to only one application through ADFS.  I'm attempting to setup a second application with no luck.

    I was hoping this would be possible login flow initiated from ADFS.  Its interesting that if my SP used WS-Federation that this flow works, but since the app im attempting to hook up only talks SAML I appear to be out of luck.

    In my IDP, I can only setup ONE endpoint to ADFS, otherwise it complains that the ACS URL is already in use.  I also cannot setup the same IDP as a another claims provider in ADFS with a different entity ID as then ADFS complains that the cert is already in use.  The service provider only allows one IDP, which is already configured to be ADFS.  it seems like no matter what I do im screwed here.  Any other thoughts?

    Tuesday, January 05, 2016 10:40 PM
  • What IDP are you using?

    Does SP Initiated from the app work?

    Normally, there is one ADFS connection to the IDP as a CP and one from the IDP to ADFS as a RP.

    Why are you trying to create multiple connections?

    Tuesday, January 05, 2016 10:50 PM
    Moderator
  • IDP is Salesforce and there are multiple relying parties at play.

    Each relying party can only have one IDP configured, which is currently ADFS.

    I need some user populations to SSO to a relying party using AD creds and other users to SSO to that same relying party using Salesforce creds.

    Tuesday, January 05, 2016 10:53 PM
  • Normally I use SP Initiated:

    User navigates to app, app redirects to ADFS.

    For AD auth, choose AD from the HRD screen.

    For SalesForce auth , choose SalesForce from the HRD screen.

    Would this work?

    Tuesday, January 05, 2016 11:14 PM
    Moderator
  • Unfortunately no.  I cant rely on my users to pick the right thing on the HRD screen.

    In slightly better news, I was able to find an article that shows how to use relaystate with Salesforce.  I can hit an endpoint there, authenticate, and get directed back to ADFS with the relay state.  I have no idea what to set the relay state to, which is still giving me greif.  I have it to the point it throwing an error in ADFS, and in the logs is says the following:

    Encountered error during federation passive request.

    Additional Data

    Exception details:

    System.ArgumentException: An item with the same key has already been added.

       at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)

       at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)

       at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)

       at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)

       at Microsoft.IdentityServer.Web.PassiveContext.CreateFromHttpContext(HttpContext context)

       at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequest(HttpContext context)

    Tuesday, January 05, 2016 11:24 PM
  • Do the users of each RP only use one way to authenticate?

    e.g. all users of RP1 use AD and all users of RP2 use SalesForce?

    In terms of IDPIniated & RelayState, part of the URL is the identifier of the app.

    But you have many apps?

    How do you propose to distinguish between them?

    Tuesday, January 05, 2016 11:44 PM
    Moderator
  • We have many relying parties in our ADFS farm. The ones at play for the purpose of this thread need to accept users from both AD and Salesforce.
    Wednesday, January 06, 2016 9:34 PM
    • Proposed as answer by pirrez Wednesday, June 14, 2017 7:09 AM
    Sunday, January 10, 2016 7:23 PM
    Moderator
  • Impressive writeup, thanks for taking the time to test out the scenarios. It is now working!!  I marked your earlier reply as the answer.  There must have been a bug in our environment because some patching occurred over the weekend and that flow now works without error when before it gave the errors in my earlier comment.

    For anyone reading this in the future, here are my findings:

    If you have a SAML IDP and a WS-Federation SP, you can use a URL constructed in the following manner to sign in:
    https://corporate.adfs.com/adfs/ls/?wa=wsignin1.0&whr=https://identity.provider.com/&wtrealm=https://service.provider.com

    If you have a SAML IDP and a SAML SP, the URL looks like so:
    https://identity.provider.com/idploginpath/login?RelayState=RPID%3Dhttps%253A%252F%252Fidentity.provider.com

    Note that with WS-federation, the flow is ADFS --> IDP --> ADFS --> RP
    With SAML only, the flow is IDP --> ADFS --> RP

    Thanks again nzpcmad1 for all your replies on this thread!

    Wednesday, January 13, 2016 3:00 PM
  • Hi Rob,

    Once you had constructed the URL for IDP initiated sign on where did you configure it on your ADFS server?

    I know I am very close to getting things working, but as it stands I still cannot get IDP initiated sign on to work when selecting the application from the /adfs/ls/idpinitiatedsignon.htm page. 

    Here is what I have done so far:

    1. Added <useRelayStateForIdpInitiatedSignOn enabled="true" /> to the Microsoft.IdentityServer.Servicehost.exe.config file.

    2. Restarted the ADFS service.

    3. Added a Relying Party Trust by importing an .xml file containing the RP's metadata.

    4. Setup two claims rules. One sends email from LDAP attribute and the other transforms the incoming email claim into Name ID.

    5. Browse to the ADFS page: https://bjn-adfs-r2.bjnsupport.local/adfs/ls/idpinitiatedsignon.htm

    6. Select the RP and sign in, but I receive a login error.

    7. Using the SAML Tracer plugin in Firefox I can see that the RelayState is not being appended to the POST binding to the RP.

    8. However, if I copy and paste the following URL directly into my browser I can successfully login: https://bjn-adfs-r2.bjnsupport.local/adfs/ls/idpinitiatedsignon.htm?RelayState=RPID%3Dhttp%253A%252F%252Fsamlsp.bluejeans.com%26RelayState%3DeyJtb2RlIjoiYXV0aCIsImdyb3VwIjoxNjA5fQ%253D%253D

    So, if the URL in step #8 works, then where can I put this URL in my configuration on the ADFS server?

    tried a few things out of sheer desperation were:

    • In the Identifiers tab I replaced the Relying party identifier URL with the URL in step #8. This did not work.
    • In the Endpoints tab I removed the existing SAML Assertion Consumer POST binding and created a new one using the URL in step #8. This did work either.
    • Lastly, I removed POST binding and created a redirect using the URL in step #8. This also did not work.

    What am I missing?

    Wednesday, January 27, 2016 12:00 AM
  • Hi Stuart,

    You may want to start a new thread to work through your specifics, but ill take a few guesses at what you may be missing.

    To answer your specific question, I didn't have to put a URL anywhere in ADFS.  The url I was trying to construct is literally a static link to be placed within an application.  Once ADFS has been configured properly with any claims provider trusts necessary and has any relying parties configured as well, then its a matter contructing the urls properly and placing them within my applications to route users to the correct relying party and IDP.

    In your case, there is a chance that you don't have the  <useRelayStateForIdpInitiatedSignOn enabled="true" /> in the correct location.  It should be in the web.config file.

    If that doesn't help, please start a new thread and include some details about your setup and post up a link to the thread and ill try my best to assist.

    Thursday, January 28, 2016 2:14 AM