Skip to content

Disabling the ActiveDirectory claims provider trust in ADFS2

May 22, 2012

ADFS2 can be used as a resource STS (R-STS) instead of as an identity provider STS (IP-STS). A client of mine was using ADFS2 in this way because they needed SAML2-P support. ADFS2 was essentially brokering between the RP using SAML2-P and the IP-STS (which was thinktecture‘s IdentityServer (IdSrv)) which was using WS-Fed:

IdSrv was the only identity provider they wanted to use but ADFS2 was still displaying its home realm discovery (HRD) screen and asking the user which IP they wanted to use to authenticate because you can’t disable the ActiveDirectory claims provider trust in ADFS2. My client didn’t like this; they wanted to skip the HRD and redirect immediately to IdSrv.

Modifying the HRD and Login screens is allowed (if not supported) in ADFS2, but I suspect eliminating AD as a STS is frowned upon (if not unsupported). Sorry Microsoft — my client didn’t want AD in there. So to achieve this we modified the HomeRealmDiscovery.aspx.cs page to automatically choose IdSrv. It was as simple as removing two lines and adding one line of code:

protected void Page_Init( object sender, EventArgs e )
    // don't bother building the list of IPs
    // PassiveIdentityProvidersDropDownList.DataSource = base.ClaimsProviders;
    // PassiveIdentityProvidersDropDownList.DataBind();

    // automatically choose the IP we want
    // pass the claims provider identifier as configured in ADFS2

For those using ADFS2 for a while this approach is nothing new, but when searching for how to disable AD in ADFS2 not much turned up. HTH.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: