Select domain at ADFS login page

Hau Kit Wong 71 Reputation points
2020-03-23T08:36:36.393+00:00

My ADFS connect to two AD Domain for authentication, can I let users select the domain they belong instead of typing the domain name?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,215 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2020-03-25T04:52:13.627+00:00

    In general, we would really try to make the options I mentioned earlier fit.

    But if you feel like it is not possible, here is a sample solution provided "as-is".

    Step 1 - Create a new webtheme

    First you need to know what is the active theme:

    Get-AdfsWebConfig | Select-Object ActiveThemeName
    
    #output
    #ActiveThemeName
    #---------------
    #default
    

    Then you can create a new theme based on the active one:

    New-AdfsWebTheme -Name DomainHint -SourceName Default
    

    Step 2 - Export the custom theme to the file system to be able to access the JavaScript**

    First you need to create a folder:

    mkdir C:\ADFS_DomainHint
    

    Then you can export the files into it:

    Export-AdfsWebTheme -Name DomainHint -DirectoryPath C:\ADFS_DomainHint
    

    Step 3 - Modify the onload.js file located in C:\ADFS_DomainHint\script

    At the end of the file, add the following:

    // Check whether the userNameArea div is present on this page.  
    var userNameArea = document.getElementById('userNameArea');  
    if (userNameArea)  
    {  
            // Prepare the dropdown list
        var domain1 = "V";
        var domain2 = "V-TEX";
        var dropDown = "<select id=\"pickDomainHint\" name=\"domainHint\"><option value=\""+ domain1 +"\">"+ domain1 +"</option><option value=\""+ domain2 +"\">"+ domain2 +"</option></select>" ;
        // Detect if there was a previous attempt with username (case where a user typed a wrong password)
        var userHint = document.getElementById("userNameInput").value.split("\\").pop() ;
        // Replace with the entire area
        var newArea = "<label class=\"hidden\" id=\"userNameInputLabel\" for=\"userNameInput\">User Account</label>\r\n" ;
        newArea += "<input name=\"UserName\" tabindex=\"1\" class=\"text fullWidth\" id=\"userNameInput\" spellcheck=\"false\" type=\"email\" placeholder=\"samaccountname\" value=\""+ userHint +"\" autocomplete=\"off\" style=\"width:60%;\">" ;
        newArea += "&nbsp;" + dropDown ;
        userNameArea.innerHTML = newArea ;
    
        // Override of the submitLoginRequest function
        if (typeof Login != 'undefined'){  
            Login.submitLoginRequest = function () {   
                var u = new InputUtil();  
                var e = new LoginErrors();  
                var userName = document.getElementById(Login.userNameInput);
                var domainHint = document.getElementById("pickDomainHint");
                var password = document.getElementById(Login.passwordInput);  
                if (!userName.value)
                {  
                    u.setError(userName, e.userNameFormatError);  
                    return false;  
                } else {
                    var userNameValue = domainHint.value +"\\"+ userName.value;
                    document.getElementById("pickDomainHint").style.display = "none" ;
                    document.getElementById(Login.userNameInput).style.width = "100%" ;
                    document.forms['loginForm'].UserName.value = userNameValue;                 
                }
    
                if (!password.value)   
                {  
                    u.setError(password, e.passwordEmpty);  
                    return false;  
                }  
                    document.forms['loginForm'].submit();  
                    return false;  
            };  
        }
    }  
    

    Of course you need to edit the lines 6 and 7 with the actual NetBIOS name of your domains. The script is a bit tricky because it is overriding the default input elements. Which is really not recommended as it can behave differently on different browsers. So you'll need to test it thoroughly.

    Once you have modify the onload.js file, you need to re-import in into the webtheme:

    Set-AdfsWebTheme -TargetName DomainHint -AdditionalFileResource @{Uri='/adfs/portal/script/onload.js';path="C:\ADFS_DomainHint\script\onload.js"}
    

    Note that at this point, we don't need to keep a copy on the file system, it imports it into the ADFS database. However, better keep an easy to access copy for reference.

    Step 4 - You enable the new webtheme

    To activate it, run the following command:

    Set-AdfsWebConfig -ActiveThemeName DomainHint
    

    Note that all commands need to be run on the Primary ADFS server.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2020-03-23T18:32:01.397+00:00

    Are those domains in the same forest?

    If so, you could set the same UPN suffix for both domains and then use the JavaScript trick to autocomplete: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages#customizing-the-ad-fs-sign-in-experience-by-using-onloadjs (the "Example 2: accept SAM-account name as a login format on an AD FS form-based sign-in page" section, you can customize it to work with UNPs).

    You could also have them sign-in with their email address for example: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

    If the above doesn't fit your needs, we can always do a custom JavaScript that will display a drop down menu for your users... but it will then disclose what is your internal domain names (since the JavaScript will be loaded on the client side, which by the way is the case too for the suggested solution in my first point).

    Let us know what you prefer!

    1 person found this answer helpful.