To complete the integration of AD FS-federated applications with Workspace ONE, you must enable the RelayState parameter in AD FS. This parameter passes an application's relying party identifier from VMware Workspace ONE Access to AD FS, so that AD FS can redirect users to the application portal.

Without the RelayState parameter enabled, users can click an AD FS-federated application in the Workspace ONE portal and authenticate into AD FS through VMware Workspace ONE Access. However, they are not further redirected to the application portal.

With RelayState enabled, an IdP-initiated authentication flow follows this sequence:

  1. End user requests access to an AD FS-federated application in the Workspace ONE portal.
  2. VMware Workspace ONE Access sends an IdP-initiated authentication response to AD FS. This SAML response contains a RelayState value set to the relying party identifier of the application.
  3. AD FS accepts the authentication response and redirects the user to the application portal specified by the RelayState value.
  4. User is granted access to the application.


  1. On the AD FS server, open the file: %systemroot%\AD FS\Microsoft.IdentityServer.Servicehost.exe.config
  2. Insert <useRelayStateForIdpInitiatedSignOn enabled="true" /> within the <microsoft.identityServer.web> section of the config file.

What to do next

Obtain the Relying Party Identifier for an AD FS-federated Application