ByPass HRD and redirect to a specific IdP base on client network

Cedric D 131 Reputation points
2020-05-14T16:52:25.043+00:00

Hello,

I have an ADFS 2016 where I have configured 2 Claims Providers (Active Directory and an LDAP Local Claims Provider).
I would like to avoid the HRD page if the user is on the internal network and use the other if the user is on the external network or if the IWA is not working.

Here my configuration :

  • ADFS 2016
  • Active Directory for Claims Provider
  • A LDAP Local Claims Provider
  • A RelyingParty Trust in SAML 2.0

My use cases : Bypass the HRD and

  • if access from internal network : Login with IWA and AD and fallback to Local LDAP form
  • if access from external network (Public IP) : Login with the form and Local LDAP

I followed this link to configure my HRD page : https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/home-realm-discovery-customization#configure-an-identity-provider-list-per-relying-party

  • I have configured an identity provider list for my relying party : Set-AdfsRelyingPartyTrust -TargetName myApplication -ClaimsProviderName @("Active Directory", "Local LDAP")
  • I set this parameter to True to bypass HRD for the intranet : Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

If go to my Relying Party, I'm redirected to the HRD.

  • If I choose "Active Directory", the IWA works and I'm successfully authenticated.
  • If I choose "Local LDAP", I fill the form, and its OK.

So I made some tests :

  • If I set only "Active Directory" in the identity provider list for my relying party, I bypass the HRD page and IWA authenticated me directly.
  • If I set only "Local LDAP" in the identity provider list for my relying party, I bypass the HRD page and I use the login form.

If I understand this disclaimer on the previous link, my configuration should bypass the HRD and use IWA for my use cases :

Please note that if an identity provider list for a relying party has been configured, even though the previous setting has been enabled and the user accesses from the intranet, AD FS still shows the home realm discovery (HRD) page. To bypass HRD in this case, you have to ensure that "Active Directory" is also added to the IDP list for this relying party.  

Could you help me to understand where I made a mistake, please?

Maybe I forgot to configure something?
Thanks a lot for your help.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,223 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vahid Ghafarpour 20,500 Reputation points
    2023-08-27T02:53:20.4633333+00:00

    If you're using load balancers or network firewalls, they might affect how the network location is determined. Make sure that the ADFS server can accurately determine whether the user is coming from the internal network or not.

    0 comments No comments