One of the deployment validation and testing tools which was also present in earlier AD FS releases is the /IdpInitiatedSignon.htm page. This page is available by default in the AD FS 2012 R2 and earlier versions. Though it should be noted this page is disabled by default in AD FS 2016.
From the system you wish to test from, navigate to the AD FS namespace's idpinitiatedsignonpage. This will be in the format of:
https://<AD FS name>.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm
In this case the AD FS namespace is adfs.tailspintoys.ca so the test URL is:
https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm
Alternatively a lot of deployments use the Secure Token Service (STS) as the namespace. An example would be:
https://sts.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm
IdpInitiatedSignon Page On Windows 2012 R2
The IdpInitiatedSignonPage is enabled by default on Windows 2012 R2 AD FS. The Tailspintoys example is shown below.
Testing IdpInitiatedSignon Page On Windows 2016
The IdpInitiatedSignon page is disabled by default on AD FS 2016. If you attempt to navigate to the URL, the below error will be displayed:
The displayed error was:
An error occurred
The resource you are trying to access is not available. Contact your administrator for more information.
Enabling IdpInitiatedSignon Page On Windows 2016
The idpInitiatedSignon page is controlled via the EnableIdpInitiatedSignonPage property on the AD FS farm.
In the below example we will check the current status of the EnableIdpInitiatedSignonPage property, noting that it is set to $False.
Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage
To enable the EnableIdpInitiatedSignonPage, it is simply a matter of setting EnableIdpInitiatedSignonPage to $True
Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
Verifying IdpInitiatedSignon Page Functions On Windows 2016
Now that we have set EnableIdpInitiatedSignonPage to $True, we can verify that the page works.
Note that in the below example, the AD FS namespace has been added to he local intranet zone in IE so that we can benefit from a slipstreamed logon experience.
Since the the AD FS namespace is present within the local intranet IE security zone, by default this will provide the credentials to the AD FS endpoint.
As you can see in the highlighted red box – we are now signed in.