Otdfbt

Multi tool use

How should I tell my manager I'm not paying for an optional after work event I'm not going to?

Would glacier 'trees' be plausible?

How can I support myself financially as a 17 year old with a loan?

Purpose of のは in this sentence?

Send iMessage from Firefox

Upside-Down Pyramid Addition...REVERSED!

What matters more when it comes to book covers? Is it ‘professional quality’ or relevancy?

What property of a BJT transistor makes it an amplifier?

Position of past participle and extent of the Verbklammer

Randomness of Python's random

Is latino sine flexione dead?

Why was the battle set up *outside* Winterfell?

Can a nothic's Weird Insight action discover secrets about a player character that the character doesn't know about themselves?

How was the quadratic formula created?

How does this change to the opportunity attack rule impact combat?

Why do money exchangers give different rates to different bills?

I have a unique character that I'm having a problem writing. He's a virus!

Getting a W on your transcript for grad school applications

What was the design of the Macintosh II's MMU replacement?

Manager is threatening to grade me poorly if I don't complete the project

Point of the the Dothraki's attack in GoT S8E3?

String won't reverse using reverse_copy

Make some Prime Squares!

Building a list of products from the elements in another list

AD FS 3.0 does not redirect back to relying party

ADFS Relying PartyAdding an RP to ADFS 2ADFS SAML Single LogoutWhy is ADFS not passing credentials through with Integrated Windows Authentiation?AD FS 3.0 Event ID 364 while creating MFA (and SSO)OWA error after the redirect from office365 login pageOAuth2 on ADFS with Multiple Claims Provider TrustsInstall Microsoft Dynamics CRM 2016 with IFD and ADFS on the same server using port 443ADFS - Correct way to massively provision relying party trusts for many similar SAML service providerADFS Signing error

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

So we have an installation of AD FS 3.0 (Windows Server 2012 R2 role) and a configured relying party. The relying party configuration in AD FS has the appropriate endpoint configured to service logout requests (see attached pics).

A client would browse to: https://adfs.dmz.local/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fportal.dmz.local%3a44303%2fLogout&wtrealm=https%3a%2f%2fportal.dmz.local%3a44303%2f

Instead of being redirected back to the relying party (via the wreply parameter), they are instead just left on the AD FS logout page.

Any ideas why AD FS would not be honouring the redirect? Note: whether the "trusted Url" is the same as the one above or not, the redirect doesn't work.

Edit: so I had this misconfigured entirely. The "Example" is incredibly misleading. This needs to be an endpoint implementing logout for SAML. As a result, this question isn't valid.

windows-server-2012-r2 adfs

share|improve this question

edited Oct 5 '14 at 10:35

Rob Sanders

asked Oct 2 '14 at 4:15

Rob SandersRob Sanders

14129

add a comment | 

0

So we have an installation of AD FS 3.0 (Windows Server 2012 R2 role) and a configured relying party. The relying party configuration in AD FS has the appropriate endpoint configured to service logout requests (see attached pics).

A client would browse to: https://adfs.dmz.local/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fportal.dmz.local%3a44303%2fLogout&wtrealm=https%3a%2f%2fportal.dmz.local%3a44303%2f

Instead of being redirected back to the relying party (via the wreply parameter), they are instead just left on the AD FS logout page.

Any ideas why AD FS would not be honouring the redirect? Note: whether the "trusted Url" is the same as the one above or not, the redirect doesn't work.

Edit: so I had this misconfigured entirely. The "Example" is incredibly misleading. This needs to be an endpoint implementing logout for SAML. As a result, this question isn't valid.

windows-server-2012-r2 adfs

share|improve this question

edited Oct 5 '14 at 10:35

Rob Sanders

asked Oct 2 '14 at 4:15

Rob SandersRob Sanders

14129

add a comment | 

So we have an installation of AD FS 3.0 (Windows Server 2012 R2 role) and a configured relying party. The relying party configuration in AD FS has the appropriate endpoint configured to service logout requests (see attached pics).

A client would browse to: https://adfs.dmz.local/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fportal.dmz.local%3a44303%2fLogout&wtrealm=https%3a%2f%2fportal.dmz.local%3a44303%2f

Instead of being redirected back to the relying party (via the wreply parameter), they are instead just left on the AD FS logout page.

Any ideas why AD FS would not be honouring the redirect? Note: whether the "trusted Url" is the same as the one above or not, the redirect doesn't work.

Edit: so I had this misconfigured entirely. The "Example" is incredibly misleading. This needs to be an endpoint implementing logout for SAML. As a result, this question isn't valid.

windows-server-2012-r2 adfs

share|improve this question

edited Oct 5 '14 at 10:35

Rob Sanders

asked Oct 2 '14 at 4:15

Rob SandersRob Sanders

14129

share|improve this question

edited Oct 5 '14 at 10:35

Rob Sanders

asked Oct 2 '14 at 4:15

Rob SandersRob Sanders

14129

share|improve this question

edited Oct 5 '14 at 10:35

Rob Sanders

asked Oct 2 '14 at 4:15

Rob SandersRob Sanders

14129

asked Oct 2 '14 at 4:15

Rob SandersRob Sanders

14129

asked Oct 2 '14 at 4:15

Rob SandersRob Sanders

14129

1 Answer
1

active

oldest

votes

1

You are mixing things up. You are adding WS-Federation parameters in a SAML Protocol configuration box. That is wrong.

The wreply parameter is another story.

share|improve this answer

answered Oct 2 '14 at 9:49

paullempaullem

32113

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  OK, any advice on what SAML parameters should be set?
  
  – Rob Sanders
  Oct 3 '14 at 0:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I do not yet understand the details of what you want. You will have to tell me first what protocol the Relying Party will use. Is it SAML2 or WS-Federation (passive)? For WS-Federation one URL should be enough and a Unique entity ID. For SAML it depends on what the SP/RP has configured. In general you should not do it manually. You should ask the RP/SP for its metadata and configure ADFS with the metadata. Manual configuration is an advanced topic, try not to go there.
  
  – paullem
  Oct 3 '14 at 14:26
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  paullem: so I had misunderstood the configuration. We're dealing with SAML 2.0 only, not WS-Fed. I was going down the wrong path but now I realise where I went wrong. This question isn't a valid one.
  
  – Rob Sanders
  Oct 5 '14 at 10:33
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f632950%2fad-fs-3-0-does-not-redirect-back-to-relying-party%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

You are mixing things up. You are adding WS-Federation parameters in a SAML Protocol configuration box. That is wrong.

The wreply parameter is another story.

share|improve this answer

answered Oct 2 '14 at 9:49

paullempaullem

32113

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  OK, any advice on what SAML parameters should be set?
  
  – Rob Sanders
  Oct 3 '14 at 0:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I do not yet understand the details of what you want. You will have to tell me first what protocol the Relying Party will use. Is it SAML2 or WS-Federation (passive)? For WS-Federation one URL should be enough and a Unique entity ID. For SAML it depends on what the SP/RP has configured. In general you should not do it manually. You should ask the RP/SP for its metadata and configure ADFS with the metadata. Manual configuration is an advanced topic, try not to go there.
  
  – paullem
  Oct 3 '14 at 14:26
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  paullem: so I had misunderstood the configuration. We're dealing with SAML 2.0 only, not WS-Fed. I was going down the wrong path but now I realise where I went wrong. This question isn't a valid one.
  
  – Rob Sanders
  Oct 5 '14 at 10:33
  

  
  
  
  

add a comment | 

1

You are mixing things up. You are adding WS-Federation parameters in a SAML Protocol configuration box. That is wrong.

The wreply parameter is another story.

share|improve this answer

answered Oct 2 '14 at 9:49

paullempaullem

32113

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  OK, any advice on what SAML parameters should be set?
  
  – Rob Sanders
  Oct 3 '14 at 0:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I do not yet understand the details of what you want. You will have to tell me first what protocol the Relying Party will use. Is it SAML2 or WS-Federation (passive)? For WS-Federation one URL should be enough and a Unique entity ID. For SAML it depends on what the SP/RP has configured. In general you should not do it manually. You should ask the RP/SP for its metadata and configure ADFS with the metadata. Manual configuration is an advanced topic, try not to go there.
  
  – paullem
  Oct 3 '14 at 14:26
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  paullem: so I had misunderstood the configuration. We're dealing with SAML 2.0 only, not WS-Fed. I was going down the wrong path but now I realise where I went wrong. This question isn't a valid one.
  
  – Rob Sanders
  Oct 5 '14 at 10:33
  

  
  
  
  

add a comment | 

You are mixing things up. You are adding WS-Federation parameters in a SAML Protocol configuration box. That is wrong.

The wreply parameter is another story.

share|improve this answer

answered Oct 2 '14 at 9:49

paullempaullem

32113

share|improve this answer

answered Oct 2 '14 at 9:49

paullempaullem

32113

answered Oct 2 '14 at 9:49

paullempaullem

32113

answered Oct 2 '14 at 9:49

paullempaullem

32113