Troubleshooting ADFS 2.0 authentication of Relying Party Trusts

A good way to verify ADFS 2.0 authentication of configured Relying Party Trusts, is to use a special sign-in web page. The IdpInitiatedSignOn.aspx page can be used to connect to specific RP trusts, which use the SAML protocol. You could test this link on the server, on an internal or external client just by connecting to http(s)://yourADFSserver.yourdomain.com/adfs/ls/IdpInitiatedSignOn.aspx

If there is more than one RP trust, a drop-down menu shows all possible choices. By connecting to your RP, you will be redirected to the appropriate RP identifier page and depending on your settings Single Sign-On should work immediately.

If there are still problems you could use Fiddler during this process to trace if the SAML Request will be send properly. Be sure to decrypt HTTPS traffic in your Fiddler settings if you are using a SSL certificate for your service communication. Furthermore you should activate TextView to see your SAML Request in detail. You need to find the line where a SAML Request will be send, typically it indicates something like /adfs/ls?SAMLRequest=… In TextView copy & paste the whole value (which is Base64 encoded) in a Base64 decoder of your choice. You should see all the attributes which are configured as Claim Rules in the RP trust. The most important attribute is the one you use for the authentication, which could be i.e. the sAMAccountName or mail attribute. You need to ensure that this attribute is configured in your Claim Rule and will be send as SAML Request to your RP to get the Single Singn-On connection up and running.

Additionally you can enable ADFS 2.0 Debug Logging by editing the servers config file to check more detailed server events. This might also be helpful in troubleshooting ADFS 2.0 problems in general. Just refer to the Microsoft Technet article below to see how debug logging can be enabled.