ADFS RelayState for IDP Initiated Signon

ADFS RelayState Overview

• ADFS RelayState allows for direct links to specific resources, such as a Lynda.com video.
• ADFS RelayState is not enabled by default.

Enable ADFS RelayState

• For ADFS 2.x, open the following file in Notepad:

%systemroot%\inetpub\adfs\ls\web.config

• For ADFS 3.0, open the following file in Notepad:

%systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config

• In the microsoft.identityServer.web section, add a line for useRelyStateForIdpInitiatedSignOn as follows, and save the change:

<microsoft.identityServer.web>
 ... 
<useRelayStateForIdpInitiatedSignOn enabled="true" />
 ... 
</microsoft.identityServer.web> 

• For ADFS 2.0, run IISReset to restart IIS.
• For both platforms, restart the Active Directory Federation Services (adfssrv) service.
• If you’re using ADFS 3.0 you only need to do the above on your ADFS 3.0 server(s), not the WAP servers.

ADFS RelayState URLs

• There are three parts to these URLs
  • IDP URL String: This is the standard URL used to access your AD FS authentication page.
  • Relying Party Identifier: This is the identifier found in AD FS for this site. ADFS –> Trust Relationships –> Relying Party Trusts –> site –> Identifiers tab
  • RelayState: This is the URL for the final destination.
• These URLs must be encoded

RelayState URL Generator

https://itdocs.housingservices.com/documents/GenerateRelayState.html

Miscellaneous Notes

• Lynda.com links must have the following appended to the end of the basic URL before encoding. (e.g. http://www.lynda.com/Business-Skills-tutorials/Onboarding-New-Hires/165496-2.html?org=housingservices.com?org=housingservices.com)