none
Automating Home Realm Discovery for ADFS published through UAG RRS feed

  • Question

  • Hi Supporters,

    I need information on how to hide or automate the Home Realm Discovery page of ADFS, which is published through UAG array on a Federated UAG Trunk.

    I have published OWA on a Federated Trunk, but when a user from a specific Claim (Identity) Provider opens the link, the user is able to see all of the organization, which are configure as IdPs on my ADFS server. So I want to hide this or configure the page so, that it can recognize to which organization the user belongs (based on UPN for example).

    Normally this is not that challenging (when ADFS is accessed directly), but when it goes over UAG there seem to be some specifics.

    I found a post in the same Forum, but the link, which contains the guide is not operational any more :(

    I wrote also in the same News group, wrote to the guy, which answered it, but got no reply so far.

    Any help here will be highly appreciated!

    Many thanks to all in advance!

    BR,

    STU

    Friday, November 1, 2013 10:16 AM

Answers

  • Hi Stoyan,

    1. Please note that after the user choose their Claim-Provider (Organization) and successfully authenticate, the ADFS will place persistent cookie on the client machine, so they will not have to repeat this process again, and next time they will arrive to that ADFS server, they will redirect directly to their organization's ADFS server, without the drop-down.

    2. In case you want to only allow a specific organization to access the UAG (i.e. all UAG users will be redirected to a specific organization's ADFS server, without seeing the other organizations) then you can just use the other org's ADFS as the UAG's ADFS and not your own ADFS. In other words, when you setup the ADFS repository in the UAG, you can provide the Metadata file from the other org's ADFS server, instead of your own ADFS server). This will cause UAG to redirect all users to that specific ADFS server and as long that server have the UAG as a rely-party (you need to send them the UAG metadata), you can skip the step of using your own ADFS (as in this scenario, it is mainly use as redirector).

    3. If you still need to use your own ADFS server, and just want to hard-code the initial home realm at that server, I believe the answer in the post you mention talks about modifying the <federatedAuthentication> tag in the UAG's web.config file. You can find this file under ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\<Name_Of_Your_Trunk> directory. The post suggest adding HomeRealm attribute pointing to a specific Home-Realm....

    4. If you need more "intelligent" automation of the Home-Realm, for example to direct the user to different ADFS server based on the source-ip of the request, etc... this may be much more complex, as you will need to write a code and somehow "Inject" it to the Home-Realm discovery page (Can be done via AppWrap in case the ADFS server is published by the UAG, or in the ADFS page itself).

    Hope this helps...

    Ophir.

    ** Note added: Just re-read your initial question, you said: "...it can recognize to which organization the user belongs (based on UPN for example)." and you should be aware that this does not make a sense, as you do not have any information about the user at this stage, as the user did not authenticate (all the idea to redirect the user to her ADFS server is for her to authenticate)...

    ---

    Ophir Polotsky



    Friday, November 1, 2013 1:12 PM
    Moderator

All replies

  • Hi,

    I forgot to copy the link of the newsgroup I found about this:

    Automating Home Realm Discovery for ADFS through UAG

    http://social.technet.microsoft.com/Forums/forefront/en-US/225e50fc-a5d7-415c-8695-abb0145ac8ee/automating-home-realm-discovery-for-adfs-through-uag?forum=forefrontedgeiag

    Thanks again!

    BR!

    Friday, November 1, 2013 10:19 AM
  • Hi Stoyan,

    1. Please note that after the user choose their Claim-Provider (Organization) and successfully authenticate, the ADFS will place persistent cookie on the client machine, so they will not have to repeat this process again, and next time they will arrive to that ADFS server, they will redirect directly to their organization's ADFS server, without the drop-down.

    2. In case you want to only allow a specific organization to access the UAG (i.e. all UAG users will be redirected to a specific organization's ADFS server, without seeing the other organizations) then you can just use the other org's ADFS as the UAG's ADFS and not your own ADFS. In other words, when you setup the ADFS repository in the UAG, you can provide the Metadata file from the other org's ADFS server, instead of your own ADFS server). This will cause UAG to redirect all users to that specific ADFS server and as long that server have the UAG as a rely-party (you need to send them the UAG metadata), you can skip the step of using your own ADFS (as in this scenario, it is mainly use as redirector).

    3. If you still need to use your own ADFS server, and just want to hard-code the initial home realm at that server, I believe the answer in the post you mention talks about modifying the <federatedAuthentication> tag in the UAG's web.config file. You can find this file under ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\<Name_Of_Your_Trunk> directory. The post suggest adding HomeRealm attribute pointing to a specific Home-Realm....

    4. If you need more "intelligent" automation of the Home-Realm, for example to direct the user to different ADFS server based on the source-ip of the request, etc... this may be much more complex, as you will need to write a code and somehow "Inject" it to the Home-Realm discovery page (Can be done via AppWrap in case the ADFS server is published by the UAG, or in the ADFS page itself).

    Hope this helps...

    Ophir.

    ** Note added: Just re-read your initial question, you said: "...it can recognize to which organization the user belongs (based on UPN for example)." and you should be aware that this does not make a sense, as you do not have any information about the user at this stage, as the user did not authenticate (all the idea to redirect the user to her ADFS server is for her to authenticate)...

    ---

    Ophir Polotsky



    Friday, November 1, 2013 1:12 PM
    Moderator
  • Hi Ophir,

    Thanks for your detailed reply. I must admit you a fully right... I couldn't describe my goal in its full complexity very correct.

    I know of course that I am getting redirected to the ADFS and based on its configuration I am authenticated at the IdP site.

    I reviewed your suggestions, they are absolutely accurate and I think I must find a way to implement number 4 (the most complex). because I need a more intelligent solution: basically recognizing the IdP and redirecting the user to his/her own ADFS server, based on some criteria: IP, UPN, etc..

    Of course cookies are stored on the client side (browser), but still the first time a user hits the HRD he/she will see all of the other IdPs I have and can extract some information from this....This I want to avoid.

    Ophir, I couldn't fully understand your suggestion Nr.3. Do you mean, that I can hardcode the IdP in the link and provide different links for the different Claim providers? If this is the case this will also work for me, I'll just have to configure separate links for every Claim provider and ever...

    Again many thanks for your help in advance....!

    I'll mark your post as an answer as I truly believe it is one :)

    Best Regards,

    Stoyan Chalakov

    Wednesday, November 6, 2013 8:59 AM
  • Hello Stoyan,

    The main issue here is the "Chicken/Egg" scenario. In order to direct the user to a specific IdP, you need to identify the user, and in order to identify the user, you need the user to authenticate with their specific IdP. So basically, you cannot really know in advance to which specific IdP redirect the user, and the best way to do it, is just to ask the user for the first time, and keep that answer for the next times....

    My suggestion (2 &3) was to address a situation that you are only accessing the published application from a specific organization and therefore allow you to bypass the question for the user. But if users arriving to UAG from different organizations, you must either keep the default (let the ADFS ask the user for the first time) or try to "calculate" the IdP based on a very limit information that you may have, like the source-IP of the machine the user access from, or the browser's languge settings (in case of multi-countries) Etc.. that usually not too reliable.

    In your post you said: "Normally this is not that challenging (when ADFS is accessed directly)" - can you please explain what you mean by that?

    Users usually do not access the ADFS directly. They access applicaiton, and the application redirects them to the ADFS, which is what happen in the UAG scenario as well (as the UAG in this case is just an application)...

    Ophir.

    Wednesday, November 6, 2013 9:34 AM
    Moderator