Thursday, May 29, 2014

ADFS : Customising the screen for ADFS 2012 R2 or ADFS 3.0 or ADFS 2.2

Update:

More comprehensive write-up here.

Apologies for the title but there doesn't seem to be a standard for what the R2 version of ADFS is called so I included them all to ease the Google / Bing / Duck Duck Go search

If there's one question that has become flavour of the month lately this is it. There are many questions around customising the logon / login / sign on pages.

Some of them refer to customising the pages for Multi-Factor Authentication (MFA). Just remember that you can now do this with a Microsoft solution. Refer: Azure Multi-Factor Authentication. Note that this doesn't have to be cloud based. There is an on-premise variation.

In ADFS 2.0, the functionality was implemented as a web site running on IIS so you could customise to your heart's content changing the .aspx and the .cs pages.

My guess is that some people who didn't really understand the implications of what they were doing customised the pages in sub-standard ways and things went wrong and Microsoft copped the blame for pushing a crap product.

Remember - security in a web application is hard - writing a security application is even harder,

So in ADFS 3.0 this was all locked down. The biggest change was that it no longer uses IIS.

Refer: First Impressions – AD FS and Windows Server 2012 R2 – Part I

There are some PowerShell commands  you can use to customise the screens

Refer: Customizing the AD FS Sign-in Pages

and Advanced Customization of AD FS Sign-in Pages.

There are some good suggestions here:

adfs 2012 R2 forms authentication default login domain

Beware: one of the suggestions here is to modify the .dll. I would strongly suggest that you don't go down this particular rabbit hole!

And a good write up here:

Handling Expired Passwords in AD FS 2012 R2

Enjoy!

3 comments:

TicArch said...

Hi,
I saw your recent comment on stakoverflow about the ADFS 2012 features.
I am trying to figure out if we can have different ADFS login pages for different websites connected to a ADFS 3.0.
Please let me know if it is possible.

Anonymous said...

Yes we are also looking for a way to customize login pages per each relying party in ADFS 3.0. Let us know if this is possible in this product.

I know that in Ping Federate this is possible.

nzpcmad said...

I don't know of a way to do this.