ADFS 2.0 Home Realm Discovery - Defaulted? RRS feed

  • Question

  • Hi all, let's say there's an ADFS 2.0 system that was set up to be used for getting Single Sign On access to a bunch of different third party websites that support ADFS connections. Those third party websites could be using either WIF or SAML based apps to facilitate the federation with ADFS, who knows.  After a while, about 10 different relying parties were configured in that ADFS system and all is good. Out of the blue, a new project comes up where an in-house SharePoint app needs to be set up so that a company outside of the organization can access that SharePoint app via SSO using the existing ADFS system. So now, to support that SP/SSO app, you have to add a new Claims Provider Trust to the ADFS configuration. When that happens, the next time a user goes to access one of the 10 existing Relying Party apps, a new Sign On screen appears asking which Identity Provider they want to use. The user calls the help desk and reports the issue. So do a bunch of other users. Next thing that happens is that the new claims provider trust is removed from the ADFS configuration.  Is there any way to set up the ADFS system so that, after the second claims provider trust is added, when a user goes to access any of the 10 existing replying party websites, the home realm defaults to the original ADFS claims provider trust, which is the company's Active Directory? I'm hoping that this can be done and I don't have to ask any of the Relying Party's administrators to have to change anything on their side.

    Thanks for taking the time to read this and any feedback would be much appreciated.

    Thursday, March 31, 2016 11:46 AM


  • I'm not aware of an easy way to achieve that easily on ADFS 2.0. It is however an out of the box feature in ADFS on Windows Server 2012 R2 (aka ADFS 3.0).

    So I would recommend to upgrade your environment to Windows Server 2012 R2 first following the guidance available here: https://technet.microsoft.com/en-us/library/dn486819.aspx

    Then you can tweak the HRD in different way. You can associate a claim provider to a relying party.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 1, 2016 12:53 PM