IDP SAML authentication redirects to ADFS

Question

IDP SAML authentication redirects to ADFS

Kavya Imandi 0

May 19, 2023, 3:08 PM

Hi,

We have few SAML configuration in the Azure AD for different applications and we see that all the authentication is redirected to ADFS even though it initially starts with the Microsoft login portal.

I see few months back there was a similar question and gone through that but still couldn't wrap my mind around the guest user that is referred there.

https://learn.microsoft.com/en-us/answers/questions/969280/external-idp-saml-authentication-redirect-to-adfs

If the guest user here is in reference to user type, then the users I'm talking about have Member in their user types. And not only the applications SAML configurations but even when I try to login to Azure AD it shows the same behavior.

Can you give more details so I can understand better.

1 answer

Your answer

Answer 1

Sandeep G-MSFT 20,736 Microsoft Employee

May 22, 2023, 1:02 PM

@Kavya Imandi

This happens because your Azure AD domain is federated with ADFS. Let's take a scenario where you have 2 custom domain in Azure AD, DomianA.com and DomainB.com. Out of these domains you have DomainA.com as federated with ADFS. This means any user who has UPN suffix as "@domainA.com" will be redirected to ADFS for authentication.

Now, whenever user with UPN suffix "@domainA.com" tries to access any application which is configured in Azure AD, they will be redirected to ADFS for authentication. Basically user tries to access the application, Application redirects the request to Azure AD. Azure AD will prompt for credentials. When user enters the UPN with suffix "@domainA.com", Azure AD will check its database and know that this domain is federated. So Azure AD will forward the request to ADFS for authentication.

This happens with any protcol (SAML, OIDC) that application is using. First the request lands to login.microsoft.com endpoint. this is Azure AD authentication endpoint. Once user enters there UPN, the request is redirected to ADFS for authentication.

Let me know if you have any further questions on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Kavya Imandi 0 Reputation points

May 22, 2023, 8:06 PM

Thanks, Sandeep, for the reply.
Tarun Khanna 10 Reputation points

Oct 21, 2024, 12:16 PM
In my case local authentication with ADFS is working fine but when the same upn is entered on azure portal, it gets redirected to my ADFS but the page gives an error as

An error occurred

An error occurred. Contact your administrator for more information.

Error details

Activity ID: 57844e85-cd74-440d-4000-0040010000f1

Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.

Node name: 8beab832-e48f-4b18-85b4-bc4ef0e2b2a2

Error time: Mon, 21 Oct 2024 11:42:13 GMT

Cookie: enabled

User agent string: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0

I further checked that in case of local authentication using the ADFS URL as below

https://adfs.stars.com/adfs/ls/idpinitiatedsignon.aspx

When the URL gets redirected from Azure (when I enter upn on azure portal page) the URL sent is as below

https://adfs.stars.com/adfs/ls/?wctx=LoginOptions%3D3%26&cbcxt=&username=nurat%40agnieng.net&mkt=&lc=

Here I see "idpinitiatedsignon.aspx" is missing.

Can you suggest a way to fix this.

The future is yours

Share via

IDP SAML authentication redirects to ADFS

1 answer

Your answer