Thursday, November 19, 2015

ADFS : RelayState with IDPInitiated

I've been playing around with this lately so thought I would get all the references in one place.

Firstly. an overview : AD FS 2.0 RelayState.

Now I'm using ADFS ("AD FS") 3.0 so no need to install the hot-fix.

However, the feature is turned off by default so you need to turn it on as in Enabling RelayState In ADFS Versions.

And then you need the AD FS 2.0 RelayState Generator.

My use case is really simple:

SP --> ADFS (with a number of SAML SP).

I want to avoid selecting which SP. (And thus achieve the same objective as when I use the "whr" parameter with WS-Fed).

(Now as the first link alludes to, you could achieve this by using the loginToRp parameter instead).

So using the generator tool:













The actual URL is:

https://domain.local/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Durn%253Acustomer%253Aserviceprovider1
%26RelayState%3Dhttps%253A%252F%252Fwebsite%252FServiceProvider%252FDefault.aspx

which for ease of reading is:

https://domain.local/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID=urn:customer:serviceprovider1&RelayState=https://website/ServiceProvider/Default.aspx

when URL Decoded.

Note: Don't be confused by the fact that RelayState serves two completely separate purposes. For IdPInitiated, the RelayState specifies the landing page at the SP. For SPInitiated it's a way for the SP to maintain state information between sending the AuthnRequest and receiving the SAML response. RelayState may be sent along with the AuthnRequest and the IDP must return this RelayState along with the SAML response.

Enjoy!

No comments: