Friday, October 26, 2012

ADFS : IDP / IP and SP Initiated flows


This confuses some people so some ADFS v2.0 screen shots might be helpful.

SP Initiated is the more normal flow. The user navigates to the application, WIF (or whatever) redirects to ADFS and you get the normal login screen:

ScreenShot036

After the user is logged in, the application gets the SAML token.

IDPInitiated in ADFS only works for SAML bindings.

The ADFS IDPInitiated URL is:
https://xxx/adfs/ls/IdpInitiatedSignOn.aspx

ScreenShot035

ADFS looks through all the configured RP to find any with a SAML binding and then displays them all in the dropdown.

The user can either sign in first using the first option and then navigate directly to one of the dropdown applications or first select a dropdown entry using the second option and then sign in.

After the user is logged in, the application gets the SAML token.

The SAML token is the same for both IP and SP initiated.

Enjoy!

No comments: