AD FS Troubleshooting - Idp-Initiated Sign On

The AD FS sign-on page can be used to test whether or not authentication is working. This is done by navigating to the page and signing in. Also, we can use the sign-in page to verify that all SAML 2.0 relying parties are listed.

Enable the Idp-Initiated Sign on page

By default, AD FS in Windows 2016 does not have the sign on page enabled. In order to enable it you can use the PowerShell command Set-AdfsProperties. Use the following procedure to enable the page:

  1. Open Windows PowerShell
  2. Enter: Get-AdfsProperties and hit enter
  3. Verify that EnableIdpInitiatedSignonPage is set to false False
  4. In PowerShell, enter: Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
  5. You will not see a confirmation so enter Get-AdfsProperties again and verify that EnableIdpInitatedSignonPage is set to true. True

Test authentication

Use the following procedure to test AD FS authentication with the Idp-Initiated Sign on page.

  1. Open a web browser and navigate to the Idp sign on page. Example:
  2. You should be prompted to sign-in. Enter your credentials. Sign-on
  3. If this was successful you should be signed in.

Test authentication using a seamless logon experience

You can test the seamless logon experience by making sure that the URL for your AD FS servers are added the local intranet zone of your internet options. Use the following procedure:

  1. On a Windows 10 client, click start and type internet options and select internet options.
  2. Click the security tab, click on local intranet, and click the sites button. Seamless
  3. Click Advanced.
  4. Enter your url and click Add. Click close. Add url
  5. Click Ok. Click Ok. This should close the internet options.
  6. Open a web browser and navigate to the Idp sign on page. Example:
  7. Click the sign in button. You should automatically sign in and not be prompted for credentials. Seamless

Next Steps