This post follows on from:
IDP Initiated Sign-on to SAML SP using SAML IDP
The question is around having a SAML IDP (Salesforce), ADFS as the RP-STS and multiple SAML RP.
Users may authenticate with either AD (via ADFS) or via Salesforce.
The easy way is to use RP Initiated but that wasn't an option.
In the link above, there is a useful tool to generate the relayState.
There are three text boxes:
The article is somewhat confusing because the third text box refers both to a string to be passed to the application and the ADFS identifier of the application.
However, the use case we want i.e.
Identity provider security token server (STS) -> relying party STS
(configured as a SAML-P endpoint) -> SAML relying party App
I tried this with two ADFS - both v3.0.
So ADFS IDP = adfs-idp
ADFS RP-STS = adfs-rp-sts
Application ID = appid
which leads to:
and the URL is:
So the user should authenticate on adfs-idp, be redirected to adfs-rp-sts, be already authenticated and then be redirected to the application.
However, I could not get this to work. I kept getting:
MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.
If I left the third text box empty and removed the empty "RelayState=", I get:
So the user should authenticate on adfs-idp, be redirected to
adfs-rp-sts, be already authenticated and then select the application from the dropdown, This works.
For AD authentication, we can use the form at the top of the article i.e. using the loginToRp parameter.
So the user should authenticate on adfs-rp-sts and be redirected to the application, This works.
Or we can take a completely different approach (albeit with ADFS 3.0) as per:
ADFS 3.0: Playing with Authentication
where you can use:
where you can configure any of your relying parties to use specific claims provider(s).
Just to call out @RobM's summary from the forum question above:
"If you have a SAML IDP and a WS-Federation SP, you can use a URL constructed in the following manner to sign in:
If you have a SAML IDP and a SAML SP, the URL looks like so:
Note that with WS-federation, the flow is ADFS --> IDP --> ADFS --> RP
With SAML only, the flow is IDP --> ADFS --> RP"