As you may know, a quick way to test your ADFS deployment is to access the idpinitiatedsignon sign page.
As usual, I tried it after deploying my new ADFS 4.0 server and… got this error message
The resource you are trying to access is not available. Contact your administrator for more information.
And the following event is logged
Log Name: AD FS/Admin
Source: AD FS
Date: 2/10/2016 7:22:24 AM
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User:
Computer:
Description:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
So basically, this says the idpinitiatedsignon is disabled; which is quite annoying.
So, looking at the ADFS properties (Get-AdfsProperties | fl *idpinitiatedsignon*) for the page it shows indeed this is disabled
To solve it, just run Set-AdfsProperties -EnableIdpInitiatedSignonPage $true