×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Note

 

This documentation supports the 20.19.01 version of Remedyforce.

To view the latest or an earlier version, select the version from the Product version menu.

BMC Remedyforce 20.19.01 ... Administering BMC Remedyforce and Single Sign-On Configuring Single Sign-On Configuring Single Sign-On Using ADFS 2.0

ADFS 2.0 Relay State

ADFS 2.0 Relay State is a parameter used in SAML Implementation to identify a specific resource on a resource provider. For example: To identify an account record in Salesforce. 

Relay State specifies the path to which a user would be redirected, once the Identity Provider authenticates the user. 

If a user tries to access a specific link embedded in an email such as https://test-sso-dev-ed.my.salesforce.com/003/o and has already logged in to Salesforce, then the user is redirected to the specific record. 

If a user is not authenticated earlier, then user is redirected to the ADFS authentication URL and is authenticated and logged in to Salesforce org. However, in this case user gets redirected to his Salesforce org’s homepage and not the page pointed by embedded link because the redirected URL (with RelayState parameter) did not match ADFS’s expected format. Configuration of ADFS for Relay State and URL encoding can resolve this issue. Using Relay State, you can generate a single URL for the user to log in to the target application without any redirects. The generated URL can be embedded in email or documents and would result in IDP Initiated SSO.

Relay State Support and Configuration

ADFS supports Relay State only after Update Rollup 2 for ADFS 2.0. If update Rollup 2 is not used, ADFS 2.0 omits Relay State by default. For more information, see:

https://support.microsoft.com/en-us/kb/2681584

Once you install the Update Rollup 2, it is necessary to edit the web.config file. To edit the web.config file:

  1. Locate the web.config file at the following location:
    %systemroot%\inetpub\adfs\ls\web.config
  2. Navigate to the <microsoft.identityServer.web> tag and add a tag for useRelyStateForIdpInitiatedSignOn with value of enabled attribute as true.
    Consider the following format while entering the XML tag:
    <microsoft.identityServer.web>    ...   
    <useRelayStateForIdpInitiatedSignOn           enabled="true"/>    ...
    </microsoft.identityServer.web>
  3. Save the file.

Note

If you are already authenticated by Identity Provider and logged into to your Salesforce org, then you will be redirected to intended page. For example: an account page or a specific page in your org.

URL Encoding

Relay State requires an encoded URL for IDP Initiated Login. For more information, see: http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx

The ADFS 2.0 Relay State generator tool is used to generate the encoded URL. The tool is available at https://adfsrelaystate.codeplex.com.

From here you can download the HTML file which generates relay state URL from IDP URL String, Relying Party Identifier and Relay State. ADFS 2.0 should have information regarding Relying Party identifier, that is Salesforce. We can add relying party identifier to identifiers for a relying party in ADFS 2.0 management console. You find the Identifiers tab on the relying party’s property page.
For a detailed description on relay state, see the following:

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sirisha Dabiru on Jun 22, 2021

Comments

Log in or register to comment.

Delegated Single Sign-On using ADFS 2.0
Configuring Single Sign-On Using ADFS 3.0
© Copyright 2010 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.