I would like our business partner to be able to do idp initiated single sign on using SAML-P to access claims aware application on my company side. So basically on my side we have:
1. ADFS 3.0 (https://adfs.mycompany.com)
2. Business Partner IDP server added as Claims Provider Trust in our ADFS (https://idp.partnercompany.com/idp/SSO.saml2)
2. ASP.NET MVC application that is setup as Relying Party Trust in ADFS (throught WS-FED endpoint) (https://portal.mycompany.com)
I have read the following article:
http://technet.microsoft.com/en-us/library/jj127245%28WS.10%29.aspx
And came up with this url:
https://idp.partnercompany.com/idp/SSO.saml2?RelayState=RPID%3Dhttp%253A%252F%252Fadfs.mycompany.com%252Fadfs%252Fservices%252Ftrust%26RelayState%3DRPID%253Dhttps%253A%252F%252Fportal.mycompany.com
So what I basically have right now is url comprised of 3 parts:
part 1: partner's idp url from claims provider trust https://idp.partnercompany.com
part 2: RelayState=encoded[RPID=http://adfs.mycompany.com/adfs/services/trust]
part 3: RelayState=encoded[RPID=https://portal.mycompany.com]
The question I have are:
1. In part 2 of the url I use the saml endpoint for my adfs, is this correct? Should this instead be the identifier that the partner assigned to my adfs on their side?
2. In part 3 I use "RelayState=RPID=..." Do I need the RPID or should it be RelayState=encoded[https://portal.mycompany.com]?
I also wanted to add that I modified the config to include: <useRelayStateForIdpInitiatedSignOn enabled="true" />