SAML IDP, ADFS 2.0 SP & WS-Fed Application

Question

UPDATE:

I was able to get ADFS to forward my user to the relying party application. I used ComponentSpace's SAML2.0 library and RelayState. Even though it successfully forwards to the WIF application, it doesn't recognize my user as having been authenticated. It instead initiates a SP-initiated SSO scenario by redirecting to the IDP STS. I'm not too sure how I should proceed.

Original Message:

I have configured a single-sign-on setup in the following manner:

IDP - A portal website that posts SAML2 responses to my SP.

SP - ADFS 2.0 configured with a claims provider trust configured as a SAML2.0 endpoint (with my IDP of course)

RP Application - An ASP.NET application which is configured as a Relying Party trust in ADFS (WS-Fed).

When I log into my IDP and click on the link that posts the SAML2 token to ADFS, everything works fine. I am taken to the IdpInitiatedSignOn.aspx page and am told that I have been logged in. The problem is that where I would normally expect to see a drop down list of applications to choose from (which should only include my single RP Application) I see nothing. I only have two buttons allowing me to sign out of all applications or a single application. Is there some trick to configuring the RP Application trust that I'm not aware of? It was my understanding that ADFS 2.0 would accept this configuration of SAML2 and WS-Fed. (See http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx under "When can I use RelayState?")

I would greatly appreciate any advice on this.

Answer 1

IdpInitiatedSignOn shows the list of RP's that support SAML.

Your RP is WS-Fed so won't appear in the list. In your case, the path is:

RP -> WS-Fed -> ADFS (Home Realm Discovery) -> SAML -> IDP -> Authenticate.