Edit

Share via

Troubleshoot AD FS IdP-initiated sign-in

You can use the Active Directory Federation Services (AD FS) sign-in page to check if authentication is working. To do this test, you go to the page and sign in. Also, you can use the sign-in page to verify that all SAML 2.0 relying parties are listed.

Enable the IdP-initiated sign-in page

By default, AD FS in Windows 2016 doesn't have the sign-in page enabled. To enable the page, use the PowerShell command Set-AdfsProperties. Use the following procedure to enable the page:

  1. Open Windows PowerShell.

  2. Enter Get-AdfsProperties.

  3. Verify that the EnableIdpInitiatedSignonPage property is set to False.

    Screenshot that shows PowerShell output highlighting that the EnableIdpInitiatedSignonPage property is set to false.

  4. In PowerShell, enter Set-AdfsProperties -EnableIdpInitiatedSignonPage $true.

  5. PowerShell doesn't provide a confirmation for the Set-AdfsProperties command. To confirm that the EnableIdpInitatedSignonPage property is set to True, enter the Get-AdfsProperties command again and check the value for the property.

    Screenshot that shows PowerShell output highlighting that the EnableIdpInitiatedSignonPage property is set to True.

Test authentication

Use the following procedure to test AD FS authentication with the Identity Provider (IdP)-initiated sign-in page.

  1. Open a web browser, and go to the IdP sign-in page. Your URL might look like https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx.

  2. You're prompted to sign in. Enter your credentials.

    Screenshot that shows the sign-in page and the dialog that prompts for credentials.

If the process succeeds, you're signed in.

Test authentication with seamless sign-in

You can test the seamless sign-in experience by making sure that the URL for your AD FS servers is added to the local intranet zone of your internet options. Use the following procedure:

  1. On a Windows 10 client, select Start, enter internet options, and select Internet Options.

  2. Select the Security tab, and then select Local intranet > Sites.

    Screenshot that shows the Security tab of the Internet Properties dialog that shows the Local intranet option highlighted.

  3. Select Advanced.

  4. Enter your URL, and then select Add > Close.

    Screenshot that shows the local intranet popup box requesting the URL to be added for authentication.

  5. Select OK. Then select OK to close the internet options.

  6. Open a web browser and go to the IdP sign-in page. Your URL might look like https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx.

  7. Select Sign in. You should automatically sign in and not be prompted for credentials.

    Screenshot that shows the sign-in page showing that the user wasn't prompted for credentials.

Known issues

The AD FS sign-in page can't be used to initiate a sign-in with a claims provider trust that's configured with a WS-Federation passive endpoint only.

Related content