AD FS 2.0 Sign-In Pages Overview
The Active Directory® Federation Services (AD FS) 2.0 Sign-In Pages handle requests at the HTTP handler level, but they expose some extensibility points through logic in ASP.NET pages and through configuration settings in the
web.config file. In order to understand what can be customized, it’s important to know how the pages handle protocol requests, and what the flow of page invocations is, as well as the role the AD FS 2.0 server plays in the federation topology.
AD FS 2.0 can play the following roles:
A pure identity provider Security Token Service (IP-STS). This is when AD FS 2.0 has no configured claim providers, except the Active Directory account store in the domain where it resides.
A pure relying party STS (RP-STS). This is when AD FS 2.0 has configured claims providers, but all local authentication methods (that is, Forms, Integrated, Basic, and TlsClient) are disabled in the
web.configfile. AD FS 2.0 can only direct the user to authenticate with a trusted STS.
Hybrid. This is when AD FS 2.0 has configured claims providers, and uses a local authentication method (that is, Forms, Integrated, Basic or TlsClient authentication is enabled in the
For more information about Security Token Services, see Security Token Service (https://go.microsoft.com/fwlink/?LinkId=205502) in the Windows® Identity Foundation (WIF) documentation. For more information about the difference between an IP-STS and an RP-STS, see What is an IP-STS and what is an RP-STS? (https://go.microsoft.com/fwlink/?LinkId=205503). For more information about Relying Party applications, see Relying Party (https://go.microsoft.com/fwlink/?LinkId=205504).
The Sign-In Pages handle the following request types:
Authentication request initiated by the Relying Party (RP) application. To see how the Sign-In Pages handle authentication requests, see Authentication Handler Overview.
Sign-out request. In this case, the request is handled internally by the Sign-In Pages. The
SignOut.aspxpage is invoked when a WS-Federation passive profile is used to sign out from an RP application. The
SignOut.aspxpage is not invoked when the trust topology consists of pure SAML WebSSO profiles.
Request initiated by AD FS 2.0. In this case, the user requests to sign in to the RP application directly from AD FS 2.0. This is handled by the
IdpInitiatedSignOn.aspxpage. This is limited to RP applications that understand the SAML protocol. To see how the
IdpInitiatedSignOn.aspxpage can be modified, see IdpInitiatedSignOnPage Class Overview.
Sign-In Web Pages
The Sign-In Pages consist of the following ASP.NET pages:
|HomeRealmDiscovery.aspx||Presents a selection UI for the user to select the organization to which he or she belongs.|
|FormsSignIn.aspx||Handles Form-based authentication with user name and password.|
|SignOut.aspx||Handles Sign-Out requests.|
|IdpInitiatedSignOn.aspx||Presents a selection UI for the user to select an RP application to sign in to. This page only works for RP applications that use the SAML protocol.|
|Error.aspx||Displays authentication errors to the user.|
|MasterPages/MasterPage.master||A master page template for all the pages.|
The Sign-In Pages can be customized in two ways: through the
web.config file, and through code changes to the ASP.NET pages. Generally, behavior changes are made to the
web.config file, and layout changes and additions to functionality are made to the code-behind files of the ASP.NET pages. For more information about customizing the
web.config file, see Customizing the AD FS 2.0 Sign-In Pages Using Web.config.