We have set up identity federation between our ADFS environment and another IDP (Siteminder I think).
Both SP and IDP initiated sign on are working fine.
Now, we want to provide all users a link that authenticates them through idp initiated sign on and redirects them to a specific Url.
Our identity provider suggests that we add the RelayState query parameter to the end of the idp initiated sign on request, to have this request :
https://<idp-sso-endpoint>?SPID=https://<adfs-server>/adfs/services/trust&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState=<target-url>
but the following error occurs on our adfs server :
Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request
Does anyone have an idea how to use the RelayState parameter with and IDP and ADFS as a service provider ?
Thanks.
You cannot just put a URL at the end of relaystate. It needs to make sense to the receiver. See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj127245(v=ws.10)#configuration-required for details on how to encode this correct to make sure AD FS receives something that makes sense.
The encoding instructions are valid but the method for configuring AD FS will be dependent on the AD FS version. In later versions of AD FS there is a EnableRelayStateForIdpInitiatedSignOn switch in the set-adfsproperties cmdlet that can be toggled.