question

CedricD-1021 avatar image
0 Votes"
CedricD-1021 asked ·

ByPass HRD and redirect to a specific IdP base on client network

Hello,

I have an ADFS 2016 where I have configured 2 Claims Providers (Active Directory and an LDAP Local Claims Provider).
I would like to avoid the HRD page if the user is on the internal network and use the other if the user is on the external network or if the IWA is not working.

Here my configuration :

  • ADFS 2016

  • Active Directory for Claims Provider

  • A LDAP Local Claims Provider

  • A RelyingParty Trust in SAML 2.0


My use cases : Bypass the HRD and

  • if access from internal network : Login with IWA and AD and fallback to Local LDAP form

  • if access from external network (Public IP) : Login with the form and Local LDAP



I followed this link to configure my HRD page : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/home-realm-discovery-customization#configure-an-identity-provider-list-per-relying-party

  • I have configured an identity provider list for my relying party : Set-AdfsRelyingPartyTrust -TargetName myApplication -ClaimsProviderName @("Active Directory", "Local LDAP")

  • I set this parameter to True to bypass HRD for the intranet : Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

If go to my Relying Party, I'm redirected to the HRD.

  • If I choose "Active Directory", the IWA works and I'm successfully authenticated.

  • If I choose "Local LDAP", I fill the form, and its OK.

So I made some tests :

  • If I set only "Active Directory" in the identity provider list for my relying party, I bypass the HRD page and IWA authenticated me directly.

  • If I set only "Local LDAP" in the identity provider list for my relying party, I bypass the HRD page and I use the login form.


If I understand this disclaimer on the previous link, my configuration should bypass the HRD and use IWA for my use cases :


 Please note that if an identity provider list for a relying party has been configured, even though the previous setting has been enabled and the user accesses from the intranet, AD FS still shows the home realm discovery (HRD) page. To bypass HRD in this case, you have to ensure that "Active Directory" is also added to the IDP list for this relying party.

Could you help me to understand where I made a mistake, please?

Maybe I forgot to configure something?
Thanks a lot for your help.


























adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers