ADFS : SAML redirect to application via relayState and loginToRp
I've been looking at a case where IDPInitiated is used to a WS-Fed application.
The use case is:
IDP --> SAML --> ADFS --> WS-Fed --> Application
IDPInitiated is a SAML feature not supported in WS-Fed but it works in ADFS if you use the RPID construct.
If you set the RPID to the identifier of an RP in ADFS, the user will use IDPInitiated on their IDP to authenticate and this will go to ADFS, ADFS will see they are authenticated and pass the token onto the RP seamlessly.
However, you will get:
ID4216: The ClaimType '
The reason is discussed here:
AD FS 2.0: The Admin Event Log Shows Error 111 with System.ArgumentException: ID4216
Essentially, WS-Fed uses a SAML 1.1 token and SAML 2.0 uses a SAML 2.0 token and SAML 1.1 is far stricter on the claim type.
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue> email@example.com </AttributeValue> </Attribute> Instead of: <saml:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">firstname.lastname@example.org</saml:AttributeValue> </saml:Attribute>
Note the difference in the attribute name formats.
Apart from this WIF breaks because all the classes expect the stricter URI form.
To sort this out:
On the IDP side, just pass everything through:
=> issue(claim = c);
On the RP side, you needs to do a pass-through but using a custom rule e.g.
c:[Type == "EmailAddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", Value = c.Value);
That will keep WIF happy :-)