Set Different Destination / Recipient URL from POST URL in ADFS SAML Request
I am trying to set up ADFS SSO SAML, however I require the POST Request to go to one URL for example: https://test.com
but the SAML Recipient and Destination URLs must be different, for example: https://test.com/testing123.jsp
How can this be done within ADFS ?
Thank you
Active Directory Federation Services
-
Pierre Audonnet - MSFT 10,166 Reputation points • Microsoft Employee
2020-12-14T18:47:11.53+00:00 I am not sure I fully follow here :)
There are two types of bindings for SAML assertion consumer endpoints: POST and Redirect. It dicates how ADFS redirects the user to the SP. POST means that the token is sent in an HTML form automatically posted to the URL using a JavaScript. The second means that it is going to be URL as query strings.
A SAML relying party trust can have one or multiple identifiers. And those identifiers can be in a URI format (URL is an example of URI format). And these URIs don't have to match the URL used in the binding profiles.
What do you need exactly?
-
gal mik 11 Reputation points
2020-12-14T19:44:36.967+00:00 Hey thank you for the quick reply,
I hope I understood what you meant, we are using
SAML 2.0 WebSSO - in my case the SAML (a base64 encrypted XML data) is being sent via an HTTP POST request, the XML has many values within it, however what I am focusing on is the value within the "Response" called "Destination" and the value within the Subject>>SubjectConfirmationData > "Recipient" which are automatically populated when using the ADFS wizard/ setting when setting up an identifier > and setting up an endpoint and giving it a "Trusted URL" this trusted URL is inserted automatically into the values I mentioned above.We need the request to be POSTed to a specific URL, however in the destination and recipient values (which I believe is where the response goes to) we need a different endpoint (URL), otherwise the SSO will not work correctly.
Please let me know if that makes sense, I have attached screenshots below as well
-
gal mik 11 Reputation points
2020-12-14T19:45:15.993+00:00 -
Pierre Audonnet - MSFT 10,166 Reputation points • Microsoft Employee
2020-12-14T20:14:02.487+00:00 That's an odd request. https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf says that
a Recipient attribute containing the service provider's assertion consumer service URL
So it makes sense that it contains what we see in the ADFS console as the assertion consumer endpoint.
I am not sure if 1 you could change it, and 2 should do so. Why in your case those two must be different?
-
gal mik 11 Reputation points
2020-12-15T00:03:51.55+00:00 It is a requirement from the provider side that expects the values to be as such to trigger a specific flow for the SSO.
However I don't think it's too odd as Okta provides it easily out of the box as part of their set up as you can see in this screenshot:
-
Pierre Audonnet - MSFT 10,166 Reputation points • Microsoft Employee
2020-12-15T04:55:22.087+00:00 What is the single sign on URL in here? Is that the assertion consumer endpoint? Or just a random URL that happens to redirect the user to the authentication page? Because if that's the second, then it doesn't have to be anywhere in the ADFS relying party trust configuration.
Example: you could have a user click on https://shorturl.com/myapp to access an application protected by ADFS. This URL is in fact just redirecting to ADFS with the proper SAML auth request in the query string and/or the proper relay state information. Once redirected to ADFS for login, ADFS will (through the user's user agent) post a token to the actual endpoint (since we are talking about a POST endpoint here) that consumes the assertions. In that case the Destination and the Recipient URL are the same (the actual assertion consumer endpoint) but the "SSO URL" is different. ADFS is agnostic of that setting. Is that what you are trying to do?
-
gal mik 11 Reputation points
2020-12-18T17:31:38.243+00:00 It is the first option you mentioned,
Here are the definitions of the items in the above screenshot:Do you think there is any way to make this happen in ADFS?
Many thanks
-
galmik2222 1 Reputation point
2021-01-04T12:22:39.247+00:00 Hey piaudonn, have you had a chance to review my last answer?
Many thanks
-
Pierre Audonnet - MSFT 10,166 Reputation points • Microsoft Employee
2021-01-21T23:17:48.347+00:00 Yep. Unfortunaltly, this is not possible to do so with the current version of ADFS.
And it is not possible as of today in Azure AD either. That said, for that last point, you can ask for the request: https://feedback.azure.com/forums/169401-azure-active-directory (apparently nobody asked for it yet).
Sign in to comment