ADFS RelayState (IdP-initiated sign-on deep links)

The university, as part of its digital strategy initiative, is pushing harder than ever for SSO across its major services. Part of this means standardizing on an IdP infrastructure to tie everything into, and for a lot of reasons (future post) we chose ADFS.

Recently a service provider asked us if, since we are working this way with our Shibboleth IdP now, we can provide a deep link on the IdP domain that will redirect to the SP after the authentication flow. I figured it was possible, but it was the first time we had to think about this with ADFS. Turns out it's quite easy, at least on ADFS v5 (Server 2019).

I'm probably explaining this wrong, but in SAML parlance the flow where the user connects to the IdP first and then gets punted to an SP is called RelayState, and typically it is triggered by appending a query string to the IdP-initiated sign-on page.

First, enable IdP-initiated sign-on if you haven't already:
Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
Then, enable RelayState:
Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true
All that remains is to compose your deep links. There's a Microsoft KB article (for as long as these things last) that explains in detail how the relying party identifier should be URL-encoded and appended to the IdP-initiated sign-on URL.

For example, the relying party identifier http://www.gartner.com becomes:
https://fs.contoso.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttp%253A%252F%252Fwww.gartner.com%26RelayState%3D

There is an excellent tool hosted by Jack Stromberg that will take your IdP-initiated sign-on endpoint and relying party identifier and generate the deep link for you.

Comments

Post a Comment

Popular posts from this blog

Secure Boot failure on ESXi 7.0 U3 - Solved

Image
At the beginning of April, an ice storm hit Quebec and caused power outages lasting several days, particularly in areas with older trees where utility lines are not underground. When I started my ESXi host after 5 days offline, I ran into an error I've never seen before: It seemed like all of the VIBs were now failing UEFI Secure Boot validation. My first instinct was that due to an unclean shutdown, data on the boot volume was corrupted, and a reinstall would be required. The voice of my VMware TAM was in the back of my mind: I'm running non- HCL hosts, with NVMe SSDs not on the VSAN HCL , I should be thankful this works at all. And he's right. And I am.  However, I'm happy to report this had a quick fix: while goofing around in the BIOS to see how I could bypass Secure Boot and load ESXi, I noticed that my system clock had rolled back to 2017! As it turns out, I had been foiled by a $1 CR2032 battery  meant to keep time while the board is not connected to power. By s
Read more

MikroTik CRS309-1G-8S+IN in 2023

Image
In late 2019, ServeTheHome  reviewed  the MikroTik  CRS309-1G-8S+IN . TL;DR  it's an 8x SFP+, 1x 1G RJ45 managed switch that retails around $350 CAD. When these came out, nothing else on the market came close on cost per port, even unmanaged. STH called it an "absolutely great buy". In 2021 I picked the CRS309 as the 10G backbone for my new home network and vSphere lab. Out of the box, running RouterOS 6, it did everything I needed at the time: I wanted a 10G switch to play with VSAN, upgrade my NAS to 10G, and a few ports for future projects. I set it up and basically forgot about it. The CRS309 was a slam dunk then and I'm still happy with my decision. Is the CRS309 still a good buy in 2023?   There are now at least two other affordable fanless ~8 port 10G managed switches: TP-Link TL-SX3008F : 8 SFP+, works with or without their Omada controller. $299 CAD Ubiquiti  USW-Aggregation : 8 SFP+, requires a UniFi controller. $359 CAD They'll do VLANs, ACLs, probabl
Read more