locked
Multiple ADFS signin pages on the basis of domain name RRS feed

  • Question

  • I have 1 (Company.com) domain name in ADS and have CompanyA, CompanyB and CompanyC as UPN suffix to have UPN as user@Company.com, user1@CompanyA.com, user2@CompanyB.com and user3@CompanyC.com for the users. We also have 1 tenant on O365 in which CompanyA, CompanyB and CompanyC are verified and federated to adfs.Company.com which gives me common page for all users (user1@CompanyA.com, user2@CompanyB.com and user3@CompanyC.com).

    Now i got a requirement to have different login pages for users on the basis of domain of the entered username. For instance for user@Company.com it should go to adfs.company.com, for user1@CompanyA.com --> adfs.companyA.com, for user2@CompanyB.com adfs.companyB.com and user3@CompanyC.com it should go to adfs.CompanyC.com and i should have separate theme, logos for all these adfs urls.

    I thought to have separate ADFS farms for these domain names but found that it is recommended to have only 1 farm in a domain. Also its cumbersome and expensive to have 4 ADFS pairs (2 adfs servers and 2 proxy servers for each domain) with 16 servers.

    Then i found on internet that we can have different login pages for different relying party trust but its not my case. I wish to have multiple login pages per relying party (O365) or App.
    .
    .
    .
    Any suggestions to achieve this or any alternative? I have ADFS 3.0 currently and server 2016 as domain controllers.


    Thanks, Rishi Pandit.

    Tuesday, June 12, 2018 6:10 AM

All replies

  • Hello,

    Any suggestions?


    Thanks, Rishi Pandit.

    Thursday, June 14, 2018 3:16 PM
  • First of all, you can have multiple ADFS-services within the same AD-domain as long as they have unique names.
    I'm not sure though if that is the solution for you since you only have once O365 tenat as far as I understood.

    You basically want to prompt different forms-based pages for the same service provider (relying party trust) depending on which username they enter in the form?

    The problem that I see in this case is that the Service Provider is federated with one IdP (for all users) so it doesn't matter if its a user from companyA, companyB or companyC they all get redirected to the same IdP. In this case its the IdP that provide the login page for the users, but often in this case, the IdP is not aware of the user or any realm for the user. Because it has not done any autentication yet or have any other information about the user. Which make its kind of difficult for the IdP to show different pages for different users just because it does not know any information about the user in this step.  

    Wednesday, June 20, 2018 6:39 AM
  • You basically want to prompt different forms-based pages for the same service provider (relying party trust) depending on which username they enter in the form?
     - Yes

    So in my case, i believe that i will have to create an ADFS farm (& a proxy) for each UPN suffix. Correct?

    Thanks, Rishi Pandit.

    Friday, June 22, 2018 11:03 AM
  • You may be able to do something along these lines?


    Sunday, June 24, 2018 7:18 PM