2K12 R2 ADFS 3 – IE Pass Through Authentication Fails on 2nd Login with 400

adfssingle-sign-on

We have a customer who recently deployed ADFS 3.0 on Server 2K12 R2 as an IDP for our SaaS product (We are the SP and we use SimpleSAMLPHP). This customer is our first ADFS 3.0 customer, but we have many happy 2.0 customers. This customer uses pass through authentication with IE on their domain, but needs forms based authentication when off the domain – ADFS 3.0 works great for this. However, we have run into a snag…

If they log into our app a 2nd time in the same browser context with IE, they get an HTTP 400 from their ADFS server before being sent back to us.

A little more color… We have a log out button in our application which kills the user session in our application but does not terminate their session with ADFS (but really how can you terminate it with pass through and IE, your identity is your domain credentials). IF they come back to our app after signing out, we send them back to their IDP for authentication. Normally, they are just sent back authenticated and everyone is happy.

A couple of facts:

  • We have one server on the domain with no proxies
  • The server routes internally and externally by the correct DNS name
  • We have IIS installed even though technically ADFS 3.0 doesn't require it
  • We have attempted to increase verbosity and view logs in ADFS without success
  • We can log in with claims ONCE per browser session in IE
  • Other browsers with forms based authentication work fine

Even more interesting:

  • We setup ADFS 3.0 at our company to try and reproduce it and it works fine here
    • We are now running both ADFS 2.0 and 3.0 internally and all is fine
  • We dumped and compared ADFS properties via Powershell without success
  • We used Fiddler to capture working transactions and failed transactions and they are virtually identical

Microsoft Support:

  • We opened a support issue with Microsoft
  • Microsoft claimed we were not issuing a proper SLO before attempted to re-authenticate
  • We tried manually hitting the SLO URL for ADFS while signed in and it throws a 400!

Basically, from my perspective once we have signed in once the ADFS server throws a 400 any time we ever try and talk to it again.

Any ideas? Thanks in advance!

Best Answer

What is your SLO URL? I see a lot of SAML folk try to do logout with AD FS using a request to https://sts.contoso.com/adfs/ls/?wa=wsignout1.0 . This is not the way to logout in a SAML app. That's is WSFederation.

You need to send a properly constructed samp:logoutrequest to the /adfs/ls passive endpoint.

Related Topic