locked
Automating Home Realm Discovery for ADFS through UAG RRS feed

  • Question

  • Hello!

    I am trying to eliminate the Home realm discovery page where users would typically choose their claims providers.  Without UAG all I have to do as add the

    ?whr=*adfs identifier*

    but through UAG this is a bit of a challenge.  When using the AD FS 2.0 trunk, users are authenticated before accessing any application.  I cannot find a way to append information to the url when users go to be authenticated to the ADFS server through the trunk.  Using manual URL replacement I can even see the custom url in the http header but it's after the typical authentication url.

    Has anyone else found a way to do this?  I have come across some resources on the net but nothing official or which actually worked.

    Monday, April 2, 2012 7:20 PM

Answers

All replies

  • I was able to automate HRD through UAG by tweaking Hendrik's blog with a few changes to the code.

    http://idmcrisis.com/?tag=/home+realm+discovery

    I would add my edits to his blog but comments are closed.  I'm not a programmer but had one take a look and make some changes.  Might be because some of Henrik's coding required .net 4 and I only had 3.5 installed.

    I guess my question now is if there is a different way to do this?  Obviously HRD through UAG by IP is only good for one application because all IP's will source from the internal IP of UAG, unless a separate internal NIC is added and mapped based on the "bind ip address to source" option in UAG (hugely impractical). Everytime I tried to append whr code to a url through UAG it was ignored in favor of the trunk authentication.  

    I'm sure in future releases UAG will have some sort of option to do this but for now does anyone have any other ways to do HRD through UAG?


    Wednesday, April 4, 2012 1:57 PM
  • Hi David,

    Please find this document and let me know if it's working for you

    http://www.forefrontsecurity.org/ArticleViewer/tabid/131/ArticleId/96/AD-FS-2-0-Automating-Home-Realm-Discovery-page-for-ADFS-through-UAG-2010.aspx

    HTH

    Idan Plotnik, Identity and Security Engineer, MVP

    Foreity - Intelligent Security

    • Marked as answer by David_Sutton Tuesday, May 1, 2012 2:21 PM
    Sunday, April 15, 2012 5:25 PM
  • Had to tear down the lab and move to something else but thanks for this, I will give it a shot and give an update!  This looks like what I was looking for!

    Thanks Idan!

    Tuesday, May 1, 2012 2:23 PM
  • Finally had a chance to test this.  It worked great!  A couple small things to add to save some folks a little trouble...

    As per Idan's Instruction:

    Open the file web.config and find the < federatedAuthentication > element and add the homeRealm=< URL >

    Should say the following:

    Open the file web.config and find the < federatedAuthentication > element and add the homeRealm=< URI >

    You can find the URI of the federation service in the ad fs management console under action -> federation service properties (make sure the root of the ad fs tree to the left is selected or this menu option will not appear.

    The URI is CASE SENSITIVE!!!

    Once I entered this as per Idan's instruction, worked like a charm.  No need to restart IIS or UAG, just close and re open your browser.

    Thanks again!




    Friday, July 13, 2012 12:13 PM
  • Hi Idan,

    I came across your answer when searching for a possibility to hide the HRD page from the users of the different partners. This is exactly what I am looking for, but unfortunately I cannot open the page or get to the document :(

    Is there another link to the doc? Can I find it somewhere else? I already searched in the Internet for it, but your post is the only place, where I have a link to the doc....

    Many thanks in advance for your answer,

    BR,

    STU

    Monday, October 21, 2013 2:18 PM