Share via

AD FS 2.0 Sign-In Pages Overview


The Active Directory® Federation Services (AD FS) 2.0 Sign-In Pages handle requests at the HTTP handler level, but they expose some extensibility points through logic in ASP.NET pages and through configuration settings in the web.config file. In order to understand what can be customized, it’s important to know how the pages handle protocol requests, and what the flow of page invocations is, as well as the role the AD FS 2.0 server plays in the federation topology.

AD FS 2.0 can play the following roles:

  • A pure identity provider Security Token Service (IP-STS). This is when AD FS 2.0 has no configured claim providers, except the Active Directory account store in the domain where it resides.

  • A pure relying party STS (RP-STS). This is when AD FS 2.0 has configured claims providers, but all local authentication methods (that is, Forms, Integrated, Basic, and TlsClient) are disabled in the web.config file. AD FS 2.0 can only direct the user to authenticate with a trusted STS.

  • Hybrid. This is when AD FS 2.0 has configured claims providers, and uses a local authentication method (that is, Forms, Integrated, Basic or TlsClient authentication is enabled in the web.config file).

For more information about Security Token Services, see Security Token Service ( in the Windows® Identity Foundation (WIF) documentation. For more information about the difference between an IP-STS and an RP-STS, see What is an IP-STS and what is an RP-STS? ( For more information about Relying Party applications, see Relying Party (

The Sign-In Pages handle the following request types:

  • Authentication request initiated by the Relying Party (RP) application. To see how the Sign-In Pages handle authentication requests, see Authentication Handler Overview.

  • Sign-out request. In this case, the request is handled internally by the Sign-In Pages. The SignOut.aspx page is invoked when a WS-Federation passive profile is used to sign out from an RP application. The SignOut.aspx page is not invoked when the trust topology consists of pure SAML WebSSO profiles.

  • Request initiated by AD FS 2.0. In this case, the user requests to sign in to the RP application directly from AD FS 2.0. This is handled by the IdpInitiatedSignOn.aspx page. This is limited to RP applications that understand the SAML protocol. To see how the IdpInitiatedSignOn.aspx page can be modified, see IdpInitiatedSignOnPage Class Overview.

Web Pages

The Sign-In Pages consist of the following ASP.NET pages:

ASP.NET page Function
HomeRealmDiscovery.aspx Presents a selection UI for the user to select the organization to which he or she belongs.
FormsSignIn.aspx Handles Form-based authentication with user name and password.
SignOut.aspx Handles Sign-Out requests.
IdpInitiatedSignOn.aspx Presents a selection UI for the user to select an RP application to sign in to. This page only works for RP applications that use the SAML protocol.
Error.aspx Displays authentication errors to the user.
MasterPages/MasterPage.master A master page template for all the pages.

The Sign-In Pages can be customized in two ways: through the web.config file, and through code changes to the ASP.NET pages. Generally, behavior changes are made to the web.config file, and layout changes and additions to functionality are made to the code-behind files of the ASP.NET pages. For more information about customizing the web.config file, see Customizing the AD FS 2.0 Sign-In Pages Using Web.config.