AD FS - Single Identifier with Multiple Endpoints - Index Selection in iDP Initiated Sign-On?
We have a requirement from a service provider to provide SSO for two separate parts of their web service - a user endpoint and an admin endpoint. We have a single RP identifier that applies to both so we have configured two endpoints with the respective URLs.
We've then generated two separate links as this is iDP initiated with RelayState using the RP identifier and each endpoint URL, e.g.
User Landing Page:
https://adfs.us.co.uk/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dsp.identifier%26RelayState%3Dhttps%253A%252F%252Fspsite.com%252FSSO%252FSAML2%252Felement%252F**user**
Admin Landing Page:
https://adfs.us.co.uk/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dsp.identifier%26RelayState%3Dhttps%253A%252F%252Fspsite.com%252FSSO%252FSAML2%252Felement%252F**admin**
Both URLs take us to the user landing page. In the endpoint configuration this Index 0 and the admin is Index 1. If I swap the URLs into alternate indexes then the admin page loads no matter which link I use. This defaults to URL with the lowest index defined, note: neither are set as trusted URL as default.
How do we differentiate the index using RelayState or LoginToRP for an iDP initiated sign-on? I've not been able to find a definitive answer. Thanks.