For several years, I've used ADFS 2.x as a SAML IDP that works with SAML Passive Authentication. When the isPassive=true flag was set on the Request, the Response would include the following StatusCode section:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
</samlp:StatusCode>
</samlp:Status>
with a secondary status code of NoPassive to indicate that the user wasn't already logged in to ADFS.
However, on my new ADFS 3.0 instance, the response does not include the NoPassive substatus, so there's no way to determine if the response is a generic error or if it's the expected NoPassive behavior. I'd like to have the behavior be the same.
Is there a new setting for this, or something else I'm missing?
Best Answer
Turns out, this was a bug in ADFS 3.0. I do not know if it has been resolved in a more recent release.