locked
Default domain when signing in using ADFS WAP? RRS feed

  • Question

  • Hello Everyone

    Question 1: Is there another way to set a "default" domain that will be used when signing in using ADFS WAP?

    Question 2: Is the option to use domain\SAMAccountName instead of UPN when signing in going to the deprecated in future releases of ADFS? Should we just teach our users to use UPN and forget about using domain\SAMAccountName?

    In the past, using ADFS 2.0 Proxy our users would just enter their SAMAccountName and Password when signing in.

    With ADFS 3.0 WAP they need to enter the domain name in front (contoso\user1) of their SAMAccountName.

    Yes, I know they can use their UPN as another alternative but that is not a good option for us since a large number of users have UPNs that are different from their e-Mail addresses so we'd like to avoid having teach all users what their UPN is and besides using the UPN requires a lot more typing.

    I know that there is a way to automatically add the domain name using JavaScript (onload.js) but I'd like to avoid that for several reasons (mentioned further down).

    Something like:

    Set-ADFSWebApplicationProxy -DefaultDomain contoso.com

    ...would be awesome :-)

    My reasons for avoiding using onload.js to add domain name are:

    Using onload.js to automatically add the domain name doesn't strike me as being a 100% supported method by Microsoft. What if Microsoft change/add functionality to ADFS WAP that renders this method unusable in the future? We would then need to re-educate our +100000 users on how to sign in. They kind of already have done this with the UpdatePassword page (next).

    If a user needs to change their password they are transferred to the UpdatePassword page. The domain name (automatically added by onload.js) and SAMAccountName entered by the user is transferred to the user name field on the UpdatePassword page which is excellent BUT if the user goes directly to the UpdatePassword page the user name field contains a placeholder that says someone@example.com and as far as I can tell there is no way to change the placeholder text from someone@example.com to "domain\SAMAccountName" nor is it possible to add the domain name (and a backslash) using onload.js in this situation. This is not very user friendly and quite confusion for regular users if they are used to just enter their SAMAccountName and don't understand that they can still enter their SAMAccountName they just need to enter domain\ in front of it of they can enter their UPN (which might not be the same as their e-mail address).

    Looking at the HTML code it looks like the elements that need to have their content changed have not been given any Element IDs. I'm far from a JavaScript expert but it's my conclusion that had Microsoft given these elements IDs then it would have been possible to change the contents using onload.js on the UpdatePassword page too.


    WORK

    Friday, December 4, 2015 12:05 PM

Answers

  • The following code works in both pages:

    var userNameInputField = document.getElementById("userNameInput") ;
    if ( userNameInputField ) {
    	userNameInputField.placeholder = "username" ;
    }

    Note that IE9 and IE8 do not support the placeholder property. So you would have to also detect and adapt this for legacy clients if you want to cover all possibilities.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 7, 2015 6:32 PM

All replies

  • I know that JavaScript is often perceived as gadget modifications. Like hosts files are dirty workarounds or hardcoded things... Fact is, the possibility is given by the product, hence you can to do it. Just be careful not to prevent users from signing in :)

    What I don't like about the JavaScript things is that just by connecting to the page and looking at the code we can know what is the internal domain name. But obscurantism isn't security anyways...

    You can configure the Password Update page the same way to customize the sign-in page: http://blogs.technet.com/b/pie/archive/2015/09/02/accept-sam-account-name-as-a-login-format-on-an-ad-fs-form-based-password-update-page.asp


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Friday, December 4, 2015 3:04 PM
  • Hello Pierre

    Thank you very much for your answer.

    I will give it a try!

    Here's the working link in case someone else is interested too:

    http://blogs.technet.com/b/pie/archive/2015/09/02/accept-sam-account-name-as-a-login-format-on-an-ad-fs-form-based-password-update-page.aspx


    Friday, December 4, 2015 8:28 PM
  • Hello Pierre

    I couldn't get the script to work. It simply wouldn't execute.

    I then placed it BEFORE the script that adds domain\ to the user name on the Sign In page and voila... it worked :-D

    AWESOME !!!

    Is there way to change the placeholder on the UpdatePassword page from "someone@example.com"

    to something else like "Network ID" just like you can on the Sign In page?

    On my Sign In page I use a case statement to detect what language is used and change the placeholder accordingly.

    var loginMessage = document.getElementById('loginMessage');
    
    // Change the Sign In button text
    // var submitButton = document.getElementById('submitButton');
    
    switch (loginMessage.innerHTML) {
    
        // English 
        case 'Sign in with your organizational account':
            loginMessage.innerHTML = 'Sign in with your CONTOSO Network ID';
            document.getElementById("userNameInput").placeholder = "CONTOSO Network ID";
            // submitButton.innerHTML = 'Sign In';
            break;
    
        // Swedish (SE)
        case 'Logga in med ditt organisationskonto':
            loginMessage.innerHTML = 'Logga in med ditt CONTOSO Nätverks-ID';
            document.getElementById("userNameInput").placeholder = "CONTOSO Nätverks-ID";        
            break;
    }

    Monday, December 7, 2015 11:58 AM
  • The following code works in both pages:

    var userNameInputField = document.getElementById("userNameInput") ;
    if ( userNameInputField ) {
    	userNameInputField.placeholder = "username" ;
    }

    Note that IE9 and IE8 do not support the placeholder property. So you would have to also detect and adapt this for legacy clients if you want to cover all possibilities.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 7, 2015 6:32 PM
  • OK this will set the placeholder to "username" and not take into account what language preference the user's browser has but I can totally use this... I've simply set the placeholder to "" which will removes it completely. At least that won't confuse the users regarding what they are supposed to enter and if they are transferred to this page from the Sign In page because they need to change their password then domainName\Username is transferred to which is great.

    I placed this script before the one I posted above so and it seems to work great.

    The smaller script removes the placeholder on the UpdatePassword page and the longer script which I posted replaces the placeholder on the Sign In page to different examples depending on the users browser.

    I don't mind the domain name is in the online.js for everyone to see... given our company name it's pretty obvious what the domain name is anyway :o)

    Thank you very much !!!


    WORK

    Thursday, December 17, 2015 10:16 AM
  • A bit off topic but for anyone looking for the code to set a default domain for the login page and the password page the code can be found here: http://www.gi-architects.co.uk/2016/10/adfs-3-0-default-login-domain/


    Tuesday, October 18, 2016 9:37 PM
  • Thank you for sharing in the forum Luben.

    Linus || Please mark posts as answers/helpful if it answers your question.

    Wednesday, October 19, 2016 8:16 AM