This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 20%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Currently we have ADFS running on server 2012r2 ... with DNS as adfs.firstdomain.com
Now we have a requirement to add second domain/DNS to our existing ADFS federation for one application.
For eg:
App 1 : https://adfs.firstdomain.com/adfs/ls/IdpInitiatedSignOn
App2 2 : https://adfs.Seconddomain.com/adfs/ls/IdpInitiatedSignOn
Please let me know how to achieve this.
Thanks
https://adfs.firstdomain.com/adfs/ls/IdpInitiatedSignOn is not the URL to sign in to an application
when you have multiple relying party trust using SAML, this URL will show a drop down menu and the user can pick the application it wants to connect to.
I mean how to we add 2 dns for the same ADFS server
URL : https://adfs.firstdomain.com/adfs/ls/
URL 2 : https://<dfs.Seconddomain.com/adfs/ls/
I am not sure what is the scenario here. ADFS is specific to an application. Why would the application care what is the FQDN of the ADFS farm? What's the use case?
Actually i am looking for adding multiple federation endpoints on one ADFS server .
Is there a way to have multiple federation endpoints on one ADFS server? For example, if I would like these federation endpoints on the same
ADFS server?
login.comany-a.com
login.comany-b.com
We have an app which does not want to use login.comany-a.com due to some restriction, so i am looking for adding second dns/domain for the same ADFS
Thanks
we have some restriction to use adfs.firstdomain.com DNS for an application, so i am trying to add second DNS for the same ADFS
So in theory yes we can set up something that does the trick from a DNS perspective. But there is a lot of caveats...
You will need to make sure that you have the proper DNS record in company-b.com. An A record pointing to the same IP as the ADFS A record in company-a.com.
You will need to ensure that the TLS (aka Service Communication Certificate) has the proper alternative subject name to reference either *.company-b.com or login.company-b.com on the top of the existing ones.
You will need to add the SPN HOST/login.company-b.com to the ADFS service account in AD.
You will need to make sure that the URL login.company-b.com is trusted in your browser to do Windows Integrated Authentication (else no single sign-on).
On the ADFS server, you will need to configure the new SNI binding like:
netsh http add sslcert hostnameport=login.company-b.com:443 certhash=<the thumbrint of your TLS cert> appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
Now, that's the theory, because in practice, this will not work all the time and is not officially tested. In other words, that's an unsupported configuration. The metadata of the ADFS farm will also not contain those URI/URL either and this will likely not work through a WAP. Better to work through those "restriction" IMO.
Thanks piaudonn,
Is it possible to solve this by ADFS Farm?
You can add another ADFS farm in company-b.com but if you expect users from company-a.com to use the applications trusted by this new ADFS farm, they will be redirected to company-a.com ADFS farm.