Tip of the Day: ADFS Home Realm Discovery Enhancements

Today’s Tip…

In 2.x, users would have to choose their IDP from a drop down list.  This posed a few issues.  If there were a large number of IDPs, it may be difficult to find the correct one, especially if they are unsure of the correct name.  Choosing the wrong one would result in a poor experience, requiring a manual clearing of their cookies.

The PG really enhanced the Home Realm Discovery experience in AD FS in 2012 R2, especially for larger service providers. 

• "Local" users can bypass home realm discovery. 

If the user is not going through the proxy, the administrator can set a flag to bypass home realm discovery and assume they are using the local Active Directory store to authenticate.

Administrators can register UPN suffixes for each IDP.

The net result of this is that users can enter their UPN (or email address) into a web form, and based on the suffix, AD FS will automatically direct the user to the correct IDP.

Administrators can register specific IDPs with each relying party.

The result of this is that the home realm discovery list will only contain IDPs that use the particular application.

Comments

• Anonymous
  January 01, 2003
  Hi Robert, wer can i find more about this Topic. We are a Service Provider and want to do this like you mention.
  The Userexperiance should be exact to Azure Login ;) We do AzurePack...
• Anonymous
  November 20, 2014
  Not such a good tip when there's no example how to create those examples.
  "Administrators can register UPN suffixes for each IDP", how?
  Administrators can register specific IDPs with each relying party., how?
• Anonymous
  November 20, 2014
  Found it.
  Set-AdfsClaimsProviderTrust -TargetName 'Claims providername' -OrganizationalAccountSuffix @("maildomain.com";"secondmail.com")
  Revert with
  Set-AdfsClaimsProviderTrust -TargetName 'Claims providername' -OrganizationalAccountSuffix $null
• Anonymous
  January 13, 2015
  How to bypass HRD in ADFS2.x?