This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 39%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIJ%3C/text%3E%3C/svg%3E)
We have a requirement from a service provider to provide SSO for two separate parts of their web service - a user endpoint and an admin endpoint. We have a single RP identifier that applies to both so we have configured two endpoints with the respective URLs.
We've then generated two separate links as this is iDP initiated with RelayState using the RP identifier and each endpoint URL, e.g.
User Landing Page:
https://adfs.us.co.uk/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dsp.identifier%26RelayState%3Dhttps%253A%252F%252Fspsite.com%252FSSO%252FSAML2%252Felement%252F**user**
Admin Landing Page:
https://adfs.us.co.uk/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dsp.identifier%26RelayState%3Dhttps%253A%252F%252Fspsite.com%252FSSO%252FSAML2%252Felement%252F**admin**
Both URLs take us to the user landing page. In the endpoint configuration this Index 0 and the admin is Index 1. If I swap the URLs into alternate indexes then the admin page loads no matter which link I use. This defaults to URL with the lowest index defined, note: neither are set as trusted URL as default.
How do we differentiate the index using RelayState or LoginToRP for an iDP initiated sign-on? I've not been able to find a definitive answer. Thanks.
It'll be interesting to hear if there is an answer to this challenge.
Fortunately the third party development team came back to us and despite the same RP Identifier being specified for both endpoints it's not actually reference in their code. So we could put any string in.
So, problem resolved. I created a new relying party for the other endpoint and used LoginToRP to point to the relevant RPID in order for a shorter and less complex URL.