How to Enable IdpInitiatedSignon Page In AD FS 2016


One of the deployment validation and testing tools which was also present in earlier AD FS releases is the /IdpInitiatedSignon.htm page.  This page is available by default in the AD FS 2012 R2 and earlier versions.  Though it should be noted this page is disabled by default in AD FS 2016.

From the system you wish to test from, navigate to the AD FS namespace’s idpinitiatedsignonpage.  This will be in the format of:

https://<AD FS name>.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm

In this case the AD FS namespace is adfs.tailspintoys.ca so the test URL is:

https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm

Alternatively a lot of deployments use the Secure Token Service (STS) as the namespace.  An example would be:

https://sts.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm

 

IdpInitiatedSignon Page On Windows 2012 R2

The IdpInitiatedSignonPage is enabled by default on Windows 2012 R2 AD FS.  The Tailspintoys example is shown below.

Windows 2012 R2 AD FS - IdpinitiatedSignon

 

 

Testing IdpInitiatedSignon Page On Windows 2016

The IdpInitiatedSignon page is disabled by default on AD FS 2016.  If you attempt to navigate to the URL, the below error will be displayed:

Windows 2016 AD FS - IdpinitiatedSignon

The displayed error was:

An error occurred

The resource you are trying to access is not available. Contact your administrator for more information.

 

Enabling IdpInitiatedSignon Page On Windows 2016

The idpInitiatedSignon page is controlled via the EnableIdpInitiatedSignonPage property on the AD FS farm.

In the below example we will check the current status of the EnableIdpInitiatedSignonPage property, noting that it is set to $False.

Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage

EnableIdpInitiatedSignonPage Set to $False

 

To enable the EnableIdpInitiatedSignonPage, it is simply a matter of setting EnableIdpInitiatedSignonPage to $True

 

Set-AdfsProperties –EnableIdpInitiatedSignonPage $True

Setting EnableIdpInitiatedSignonPage Set to $True

 

Verifying IdpInitiatedSignon Page Functions On Windows 2016

Now that we have set EnableIdpInitiatedSignonPage to $True, we can verify that the page works.

Note that in the below example, the AD FS namespace has been added to he local intranet zone in IE so that we can benefit from a slipstreamed logon experience.

Windows 2016 IdpInitiatedSignon Page Now Working

Since the the AD FS namespace is present within the local intranet IE security zone, by default this will provide the credentials to the AD FS endpoint.

Windows 2016 IdpInitiatedSignon - Signed In!  -- YAY!!

As you can see in the highlighted red box – we are now signed in.

 

Cheers,

Rhoderick

Comments (0)

Skip to main content