Bypass a HRD page using user login only and continue authentication on external provider. ADFS 2016\2019

Sergey A 1 Reputation point
2020-04-05T02:49:02.847+00:00

I want to bypass HRD page on ADFS. Some of my RP already has parameter like login_hint for openID Connect and RedirectToIdentityProvider for WS Federation.
But one RP should direct users to different external IPs depending on their login. We don't use Active Directory and all applications - are web services. So we use ws passive only.
My Idea is customize onload.js to use login and pass it throught web service to discover the ToIdentityProviderUri, then bypass HRD page.
I would be grateful for any outline of this file. Also questions, other RP should ignore this logic?
Am I in the right direction?
Or may be is another approach to archive this behaviour?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,215 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2020-04-09T03:50:49.763+00:00

    Hi! Just to make sure, you have you look at this already: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/home-realm-discovery-customization there are built-in way to by pass the HRD in certain contexts.

    I publish some custom modification back in the days, in case that helps too: https://learn.microsoft.com/en-us/archive/blogs/pie/customize-the-home-realm-discovery-page-to-ask-for-upn-right-away.

    If none of these helps, you can give us an example of what the complete URL look like and we can probably assist you with the JavaScript bit.

    1 person found this answer helpful.

  2. Sergey E 1 Reputation point
    2020-07-07T09:13:26.933+00:00

    Very similar to my question. However, I can’t check it, because My previous account is blocked. Thanks for the answer. But I realized that this scenario will not solve my problem. I had a very simple scenario, which, as I understand it, is impossible to implement. I have a site in SSO that asks for the user's Email, which determines the IdentityProvider required for it. It seemed the whr and RedirectToIdentityProvider parameters for ADFS in particular, are just for this, however, if the user already has a cookie in ADFS through another site in SSO, and does not have an authentication cookie on my site, I can’t determine if this user already has a session in SSO or not, and therefore I am forced to start the authentication process from the beginning, so I had this question above. I thought that I would always direct the user to ADFS and determine the IP choice for the user on the ADFS side.
    But the problem of checking cookies remains...
    Rise a new service inside ADFS insance, to avoid the authorization probs...
    So, all was finished with a changing a busines model...
    Anyway. Thanks for the answer!

    0 comments No comments