AD FS Troubleshooting - Idp-Initiated Sign On
The AD FS sign-on page can be used to test whether or not authentication is working. This is done by navigating to the page and signing in. Also, we can use the sign-in page to verify that all SAML 2.0 relying parties are listed.
Enable the Idp-Initiated Sign on page
By default, AD FS in Windows 2016 does not have the sign on page enabled. In order to enable it you can use the PowerShell command Set-AdfsProperties. Use the following procedure to enable the page:
- Open Windows PowerShell
Get-AdfsPropertiesand hit enter
- Verify that EnableIdpInitiatedSignonPage is set to false
- In PowerShell, enter:
Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
- You will not see a confirmation so enter Get-AdfsProperties again and verify that EnableIdpInitatedSignonPage is set to true.
Use the following procedure to test AD FS authentication with the Idp-Initiated Sign on page.
- Open a web browser and navigate to the Idp sign on page. Example: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx
- You should be prompted to sign-in. Enter your credentials.
- If this was successful you should be signed in.
Test authentication using a seamless logon experience
You can test the seamless logon experience by making sure that the URL for your AD FS servers are added the local intranet zone of your internet options. Use the following procedure:
On a Windows 10 client, click start and type internet options and select internet options.
Click the security tab, click on local intranet, and click the sites button.
Enter your url and click Add. Click close.
Click Ok. Click Ok. This should close the internet options.
Open a web browser and navigate to the Idp sign on page. Example: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx
Click the sign in button. You should automatically sign in and not be prompted for credentials.
The AD FS sign-on page cannot be used to initiate a sign-on with a claims provider trust that is configured with a WS-Federation passive endpoint only. Register a relying party such as ClaimsXRay to verify that a WS-Federation claims provider trust works as intended.