question

HauKitWong-1160 avatar image
0 Votes"
HauKitWong-1160 asked ·

Select domain at ADFS login page

My ADFS connect to two AD Domain for authentication, can I let users select the domain they belong instead of typing the domain name?

adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
1 Vote"
piaudonn answered ·

In general, we would really try to make the options I mentioned earlier fit.

But if you feel like it is not possible, here is a sample solution provided "as-is".

Step 1 - Create a new webtheme

First you need to know what is the active theme:

 Get-AdfsWebConfig | Select-Object ActiveThemeName
    
 #output
 #ActiveThemeName
 #---------------
 #default

Then you can create a new theme based on the active one:

 New-AdfsWebTheme -Name DomainHint -SourceName Default

Step 2 - Export the custom theme to the file system to be able to access the JavaScript**

First you need to create a folder:

 mkdir C:\ADFS_DomainHint

Then you can export the files into it:

 Export-AdfsWebTheme -Name DomainHint -DirectoryPath C:\ADFS_DomainHint

Step 3 - Modify the onload.js file located in C:\ADFS_DomainHint\script

At the end of the file, add the following:

 // Check whether the userNameArea div is present on this page.  
 var userNameArea = document.getElementById('userNameArea');  
 if (userNameArea)  
 {  
         // Prepare the dropdown list
     var domain1 = "V";
     var domain2 = "V-TEX";
     var dropDown = "<select id=\"pickDomainHint\" name=\"domainHint\"><option value=\""+ domain1 +"\">"+ domain1 +"</option><option value=\""+ domain2 +"\">"+ domain2 +"</option></select>" ;
     // Detect if there was a previous attempt with username (case where a user typed a wrong password)
     var userHint = document.getElementById("userNameInput").value.split("\\").pop() ;
     // Replace with the entire area
     var newArea = "<label class=\"hidden\" id=\"userNameInputLabel\" for=\"userNameInput\">User Account</label>\r\n" ;
     newArea += "<input name=\"UserName\" tabindex=\"1\" class=\"text fullWidth\" id=\"userNameInput\" spellcheck=\"false\" type=\"email\" placeholder=\"samaccountname\" value=\""+ userHint +"\" autocomplete=\"off\" style=\"width:60%;\">" ;
     newArea += "&nbsp;" + dropDown ;
     userNameArea.innerHTML = newArea ;
    
     // Override of the submitLoginRequest function
     if (typeof Login != 'undefined'){  
         Login.submitLoginRequest = function () {   
             var u = new InputUtil();  
             var e = new LoginErrors();  
             var userName = document.getElementById(Login.userNameInput);
             var domainHint = document.getElementById("pickDomainHint");
             var password = document.getElementById(Login.passwordInput);  
             if (!userName.value)
             {  
                 u.setError(userName, e.userNameFormatError);  
                 return false;  
             } else {
                 var userNameValue = domainHint.value +"\\"+ userName.value;
                 document.getElementById("pickDomainHint").style.display = "none" ;
                 document.getElementById(Login.userNameInput).style.width = "100%" ;
                 document.forms['loginForm'].UserName.value = userNameValue;                  
             }
      
             if (!password.value)   
             {  
                 u.setError(password, e.passwordEmpty);  
                 return false;  
             }  
                 document.forms['loginForm'].submit();  
                 return false;  
         };  
     }
 }  


Of course you need to edit the lines 6 and 7 with the actual NetBIOS name of your domains. The script is a bit tricky because it is overriding the default input elements. Which is really not recommended as it can behave differently on different browsers. So you'll need to test it thoroughly.

Once you have modify the onload.js file, you need to re-import in into the webtheme:

 Set-AdfsWebTheme -TargetName DomainHint -AdditionalFileResource @{Uri='/adfs/portal/script/onload.js';path="C:\ADFS_DomainHint\script\onload.js"}

Note that at this point, we don't need to keep a copy on the file system, it imports it into the ADFS database. However, better keep an easy to access copy for reference.

Step 4 - You enable the new webtheme

To activate it, run the following command:

 Set-AdfsWebConfig -ActiveThemeName DomainHint

Note that all commands need to be run on the Primary ADFS server.




· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Good solution! Very detail, thanks for your help very much!

0 Votes 0 · ·
piaudonn avatar image
1 Vote"
piaudonn answered ·

Are those domains in the same forest?

If so, you could set the same UPN suffix for both domains and then use the JavaScript trick to autocomplete: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages#customizing-the-ad-fs-sign-in-experience-by-using-onloadjs (the "Example 2: accept SAM-account name as a login format on an AD FS form-based sign-in page" section, you can customize it to work with UNPs).

You could also have them sign-in with their email address for example: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

If the above doesn't fit your needs, we can always do a custom JavaScript that will display a drop down menu for your users... but it will then disclose what is your internal domain names (since the JavaScript will be loaded on the client side, which by the way is the case too for the suggested solution in my first point).

Let us know what you prefer!

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your help! Those domains are not in the same forest, but they are trusted.
And I prefer create a JavaScript to display drop down menu.

0 Votes 0 · ·