How to Enable RelayState in ADFS 2.0 and ADFS 3.0

Friday, November 7, 2014
RelayState is a parameter of the SAML protocol that is used to identify the specific resource the user will access after they are signed in and directed to the relying party’s federation server. It is used by Google Apps and other SAML 2.0 resource providers.

If RelayState is not enabled in AD FS, users will see something similar to this error after they authenticate to resource providers that require it:

The Required Response Parameter RelayState Was Missing

For ADFS 2.0, you must install update KB2681584 (Update Rollup 2) or KB2790338 (Update Rollup 3) to provide RelayState support. ADFS 3.0 has RelayState support built in. In both cases RelayState still needs to be enabled.

Use the following steps to enable the RelayState parameter on your AD FS servers:

  • For ADFS 2.0, open the following file in Notepad: 
%systemroot%\inetpub\adfs\ls\web.config
  • For ADFS 3.0, open the following file in Notepad:
%systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config

  • In the microsoft.identityServer.web section, add a line for useRelyStateForIdpInitiatedSignOn as follows, and save the change:
<microsoft.identityServer.web>    ...    <useRelayStateForIdpInitiatedSignOn enabled="true" />    ...</microsoft.identityServer.web>
  • For ADFS 2.0, run IISReset to restart IIS.
  • For both platforms, restart the Active Directory Federation Services (adfssrv) service.
If you're using ADFS 3.0 you only need to do the above on your ADFS 3.0 servers, not the WAP servers.


by at
Tags , ,

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.

Subscribe to: Post Comments (Atom)