Share via

Edge not working with IdP request to ADFS 2019

Does IT Really Matter in NY 101 Reputation points
2020-07-16T16:01:23.07+00:00

We're testing to roll out Edge 83.0.478.58.
If we navigate to https://ourlocaldomain/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=https://partnerserver/partnerservice, Edge redirects to https://ourlocaldomain/adfs/ls/wia?LoginToRP=https://partnerserver/partnerservice&client-request-id=xxxx as expected. But instead of picking up the token when the ADFS 2019 server (running in same domain as users) sends the 200-OK and redirecting to the partner's site, Edge re-sends the GET for the adfs/ls/wia and our users get the below ADFS error page (I assume because the ADFS has already completed that client request). If the user re-enters the original IdP request URL, the process works as expected (I assume picking up the existing token from ADFS). It then works until the token expires.
12753-annotation-2020-07-16-094945.png

The problem does not happen in IE11 nor in Chrome 83.0.4103.116. It is specific to Edge. We have this problem on Win7 SP1 as well as several versions of Win10. Edge doesn't have any issue with an SP initiated request, nor does it have a problem if ADFS already has a token cached for that user/machine. I've deleted and recreated the partner in ADFS. They have one claim that I then transform, so it shouldn't be a timeout type issue. I've looked at all the debugging and logs on the ADFS side and it really just looks like Edge is re-requesting the adfs/ls/wia page over again. I've verified that WiaSupportedUserAgents in Get-ADFSProperties has Mozilla/5.0 set (among many others). I'm really not sure what else to look at - if there are any Edge settings that might correct this, or if it's an actual bug with WIA in Edge. I tried posting in Edge forums, but they sent me to ADFS.

Any help is appreciated as I'm losing my hair over this.

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,181 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,211 questions
0 comments
Accepted answer
  1. Does IT Really Matter in NY 101 Reputation points
    2020-07-30T13:08:15.55+00:00

    "Edg/*" was in the output.

    Turned out the issue was that everyone was trying to open the link via a Word document. And for some reason the movement from the Word document to Edge would cause Edge to resent the get request, which is how the error popped up. Once we moved the link to a Favorite within Edge, the issue went away.

    I was curious if MS Word had a seperate UA that it uses when sending requests, which it did. I added that to the WiaSupportUserAgents list, but it didn't fix the problem of using SSO via a Word link. But the Word document was only for testing purposes anyway, so I consider the issue resolved.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. 9704244848 186 Reputation points
    2020-07-24T22:07:46.087+00:00

    I've verified that WiaSupportedUserAgents in Get-ADFSProperties has Mozilla/5.0 set (among many others).

    Take a look to this article - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia.
    Did you find "Edg/"* in your output from the cmdlet?

    0 comments