Customizing ADFS 3.0 Sign-in Page
Introduction
In ADFS 3.0 (aka ADFS in Windows Server 2012 R2) customization of Sign-in page is quite different from the earlier versions of ADFS. This post gives an overview of Sign-in page customization in ADFS 3.0.
Customization Options
In ADFS 3.0 there is no dependency on IIS. Hence, there is no IIS available in the ADFS 3.0 Server. Because of this, you do not have any .aspx or .master page in the file system which you can go ahead and edit directly to apply the customizations you need.
In this version of ADFS 3.0, any customization should be done by using PowerShell commands and all the customizations are stored in the ADFS configuration database instead of file system. The advantage is that there is no need to update the files in individual ADFS instances in a farm kind of scenario. Execute the PowerShell commands once and all the ADFS instances in the farm are reflected with the customizations.
Figure: General Sign-in page ADFS 3.0
There are two options for customizing the sign-in page.
Customizing Logo, Footer Links, Sign-in description using PowerShell commands
- PowerShell commands for customizing individual parts of the sign-in page are documented in Microsoft TechNet article - https://technet.microsoft.com/en-in/library/dn280950.aspx
- Though these PowerShell commands give you quick way to customize Logos and descriptions, sometimes you might need to customize the entire theme of the sign-in page by applying new styles.
- I had a similar requirement to completely change the look of sign-in page. As we don't have much control using this option of customization, I had used the second option - using Custom Web Themes to customize sign-in page.
Custom Web Themes
Using this option of customizing the sign-in page gives you much control since you now have control of the CSS and JavaScript files used in the sign-in page. The final sign-in page after applying custom web theme looks as below.
Figure: ADFS 3.0 Sign-in page after applying custom web theme
Custom web theme allows us to customize the CSS Style Sheet, Logos, and JavaScript file which are used in the construction of Sign-in page. Below is the procedure to build a custom web theme.
- Export the files used in Default web theme of ADFS. Default web theme comes by default out-of-box with ADFS.
Export-AdfsWebTheme –Name default –DirectoryPath c:\custom-theme
- Create a new theme and name it as you like (Ex: custom-theme)
New-AdfsWebTheme -Name "custom-theme" -SourceName default
- Now, edit the files exported in Step-1. You can edit style.css, onload.js and add images. The theme folder structure is as below:
ThemeRoot
|-css
|-style.css
|-style.rtl.css
|-images
|-logo.png
|-script
|-onload.js
- After modifying the logo, you can apply it to the custom-theme using the PowerShell command below.
Set-AdfsWebTheme -TargetName "cusotm-theme" -Logo @{Locale="";path="C:\custom-theme\images\logo.png"}
- After modifying the style sheet (style.css and style.rtl.css) apply the same to the new theme.
Set-AdfsWebTheme -TargetName "custom-theme" -StyleSheet @{Locale="";path="C:\custom-theme\css\style.css"} -RTLStyleSheetPath "C:\custom-theme\css\style.rtl.css"
- After modifying the JavaScript file (onload.js) apply the same to the new theme.
Set-AdfsWebTheme -TargetName $ThemeName -AdditionalFileResource @{Uri="/adfs/portal/script/onload.js";path="C:\custom-theme\script\onload.js"}
- And finally activate the new custom theme in ADFS to start seeing the changes
Set-AdfsWebConfig -ActiveThemeName "custom-theme"
- If you are not satisfied with the changes you have done, update the files again and apply them to the custom-theme as mentioned in the above steps.
Comments
Anonymous
July 27, 2015
Is there a way to have multiple custom login pages? We have different external applications and each needs to have different branding- Anonymous
March 16, 2017
I know this post is super late, but figured I would post it anyway. Not sure if you are asking whether each RP can have its web theme. If yes, then this is possible in Windows Server 2016. https://technet.microsoft.com/itpro/powershell/windows/adfs/set-adfsrelyingpartywebtheme
- Anonymous
Anonymous
September 23, 2015
I have the same question as MC. Is this possible?Anonymous
January 15, 2016
@ MC, Paul - No, We can't have multiple custom login pages with Active Directory being the claims Provider. Alternative is to use custom claims provider with its own login page.Anonymous
February 29, 2016
How did you change someone@exaple.com to domainusername?Anonymous
March 09, 2016
The comment has been removed- Anonymous
June 09, 2016
This code is not compatible with the one published by microsoft here (under example 2):https://technet.microsoft.com/en-us/library/dn636121.aspxDo you know if there is a way to get the overall look and feel you got, while at the same time have example 2 working?- Anonymous
October 31, 2016
Joseph,The problem with the code above is it is missing a trailing }. If you add that at the end it works fine.Recommend you use Chrome after implementing the onload.js and hitting F12. It will tell you all the Javascript errors that may be occurring and where, and is invaluable when implementing these kinds of customizations.
- Anonymous
- Anonymous
Anonymous
June 03, 2016
Is this customization (Custom Web Themes ) available for cloud also?Anonymous
June 09, 2016
Typo on step #4 cmd.Anonymous
July 10, 2016
i want to change the copyright text at the bottom of page. please help me to change that textAnonymous
July 15, 2016
Can you provide the sources (css/js/png) that you used in this example? That would be helpful in determining how you re-positioned the logo and text boxes. Thanks!Anonymous
August 30, 2016
The comment has been removed- Anonymous
September 01, 2016
Can you check if there are any JavaScript errors on the browser's console window? I suspect the first code block in which you are trying to alter the login Message. You are assigning a string value to element which I guess is not allowed.The below lines should be used to alter the loginMessage:// Code to change “Sign in with organizational account” string.// Check whether the loginMessage element is present on this page.var loginMessage = document.getElementById('loginMessage');if (loginMessage) { // loginMessage element is present, modify its properties. loginMessage.innerHTML = 'Sign in with your email account';}
- Anonymous
Anonymous
February 16, 2017
Is there any way to check some AD account properties after bind to AD, then perform custom logic on server side and finally proceed with logon or just deny (depending on propertioes of the user AD account) ? Previously it was possible to modify server side aspx logon page. Now it seems to be impossible.Anonymous
May 13, 2017
Can some one help on importing Style.css templates from internet & used for custom theme. If so, please share any tutorials/article pages. ThanksAnonymous
August 02, 2017
Do not use the .png use .jpg instead I had issues with Office365 and ShibbolethAnonymous
October 03, 2017
This is very helpful. The problem I have is that I cannot get the page to update the illustration on the sign-in page of my custom theme, nor can I get the copyright date removed. All directions are followed and I can confirm the existing theme is my custom theme. The logo has changed successfully, but the illustration does not. I've modified the style.css file to ignore the copyright text, too. I have run the set-webconfig command to complete the process, but the only change I see on the ADFS log-in page is the logo. I may be missing something obvious, but I'm stumped.Anonymous
October 25, 2017
"In ADFS 3.0 there is no dependency on IIS. Hence, there is no IIS available in the ADFS 3.0 Server. Because of this, you do not have any .aspx or .master page in the file system which you can go ahead and edit directly to apply the customizations you need."This is worse as now you have no means to be able to change the HTML structure of the page to truly customize it. Sure you can hide things via css, or possible go as far as injecting new page elements through javascript via the onload.js file they allow you to use, but that's pretty ugly to do when it would be so much easier to just alter some html directly. Really disappointed that Microsoft has locked down customization so much. This "corporate" look and feel doesn't fly when you're wanting to use ADFS in an education environment for students or for any demographic other than corporate users. Not to mention the unfriendliness of the validation and lack of being able to directly reference other javascript libraries to provide a better user experience.Seriously, who thought forcing someone to write hacky CSS and hacky javascript to alter the html structure of a page just to get it to the way they want it to look versus simply allowing one alter the html structure directly, was a good idea? As long as one leaves the direct username and password fields the same and the button- Anonymous
October 25, 2017
sorry forgot to finish my thought... "As long as one leaves the direct username and password fields the same and the button" /form action the same along with any other element they want to be there, it shouldn't matter how the structure is changed otherwise.
- Anonymous
Anonymous
December 12, 2017
Is it possible to customize the idpinitiatedsignon page on Saml logout so that it doesn't show all of the sign in sites or just remove that sign in option all together for logout?