A quickie, but a goodie.
In an earlier post on setting Salesforce.com as a SAML Relying Party to ADFS, I talked about how I felt a little dumb because I couldn’t figure out how to get ADFS to post the token to Salesforce. The reason I felt that way was because with WS-Federation there is a URL parameter that is designed to tell the STS which relying party requested the token. Notsomuch with SAML.
Turns out with ADFS there is such a parameter. By default if you pass in ?loginToRp=[rpIdentifier] to the IdpInitiatedSignOn.aspx page, ADFS will look for a relying party based on the parameter.
If you are unsure of what identifier to use, you can go to the relying party properties, and check out the Identifiers tab. It will accept any of the identifiers in the list:
As an aside, if you don’t like that URL parameter name, you can go into the IdpInitiatedSignOn.aspx.cs file and update line 21 to whichever you feel is appropriate:
const string RpIdentityQueryParameter = "loginToRp";
Then you compile the site, and redeploy.
You are properly securing ADFS by compiling the site’s source code, right?