ADFS 2016 – Change the Active Directory claim provider display name in the Home Realm Discovery page


In Windows Server 2012 R2 ADFS (well that everybody calls ADFS 3), the display name of the ADFS farm was also the display name of the Active Directory claim provider name in the Home Realm Discovery page.

Get-AdfsProperties | Select-Object DisplayName
#Output:
#DisplayName
#-----------
#Yoga Corp.

Here what it looked like:

hrd_name_0

And this regardless of the actual name of the claim provider trust for AD:

Get-AdfsClaimsProviderTrust -Identifier "AD AUTHORITY" | Select-Object Name
#Output:
#Name
#----
#Active Directory

In Windows Server 2016 ADFS (also known as ADFS 4...) this isn't the case anymore. The display name of the farm is no longer the display name of the Active Directory claim provider trust. As a result, the Home Realm Discovery page will look like this:

hrd_name_1

We can see that the display name of my farm is Piaudonn ADFS 2016 and that the display name of my AD claim provider is Active Directory. Some PowerShell to illustrate the difference:

Get-AdfsProperties | Select-Object DisplayName
#Output:
#DisplayName
#-----------
#Piaudonn ADFS 2016

Get-AdfsClaimsProviderTrust -Identifier "AD AUTHORITY" | Select-Object Name
#Output:
#Name
#----
#Active Directory

So the first reflex we have to change it since it is no longer the display name of the farm, is to change the name of the AD claim provider trust directly:

Get-AdfsClaimsProviderTrust -Identifier "AD AUTHORITY" | Set-AdfsClaimsProviderTrust -Name "Corp Users"

But here is the output:

Set-AdfsClaimsProviderTrust : PS0027: No properties except AcceptanceTransformRules and AcceptanceTransformRulesFile
can be modified on the ADAuthority claims provider trust.

So, here is a workaround.

JavaTrick

We will use the OnLoad.js JavaScript present in all rendered page to dynamically change the display name "Active Directory" into what ever we want. In my case: Corp Users.

  1. Create a custom web theme for you ADFS farm.
    Note that JavaScript customization cannot be done for the default web theme. If you already have a custom web theme, you can skip this and go to step 2.

    New-AdfsWebTheme -Name CorpWebTheme -SourceName Default

    If you already have set a logo and an illustration picture in the default theme, because I used the Default as the source, they will automatically be present in the newly created CorpWebTheme.

  2. Export the current OnLoad.js to be able to modify it.
    We create the folder C:\CorpWebTheme and run the following cmdLet:

    Export-AdfsWebTheme -Name CorpWebTheme -DirectoryPath C:\CorpWebTheme

    This is what we get in our folder:

    C:\>tree /F C:\CorpWebTheme
    Folder PATH listing
    Volume serial number is 5C78-23B0
    C:\CORPWEBTHEME
    ├───css
    │       style.css
    │       style.rtl.css
    │
    ├───illustration
    │       illustration.png
    │
    ├───images
    │   └───idp
    │           idp.png
    │           localsts.png
    │           otherorganizations.png
    │
    └───script
            onload.js

    We can see the onload.js in the script subfolder.

  3. Modify the JavaScript.
    We need to detect what is the identifier of the Active Directory display name in the HTML rendering. I use the developer mode of IE (just pressed F12) and use the DOM selector to identify where in is the string is in the page:
    hrd_name_2
    Not a good news, it seems that the claim provider trust display names do not have a unique identifier and they all have the same class:
    hrd_name_3
    And it seems that the Active Directory claim provider trust is always the last one (bottom of the list, at least it my labs, if it is not the case in yours, please let me know). Update: I changed the orignal code since it appears that the Active Directory claim provider trust is not always at the end of the list. Hence, the code is looking for the AD trust before replacing its display name.
    So I open the onload.js and add the following code at the end of it:

    //Check if we are in the HRD page
    if ( document.getElementById("hrdArea") ) {
    	var strADCPName = "Corp Users" ;
    	//Create an array of all claim provider trust section in the page
    	var listAllSpanForIdp = document.getElementsByClassName("idpDescription float") ;
    	var inc;
    	for (inc = 0; inc < listAllSpanForIdp.length; inc++) {
    		if ( listAllSpanForIdp[ inc ].innerHTML == "<span class=\"largeTextNoWrap indentNonCollapsible\">Active Directory</span>" ) {
    			//Change the HTML content of the matching section to the value specified in the strADCPName variable
    			listAllSpanForIdp[ inc ].innerHTML = "<span class=\"largeTextNoWrap indentNonCollapsible\">"+ strADCPName +"</span>" ;
    		}
    	}
    }

    The code is quite self explanatory, I change the HTML content last occurrence of the class "idpDescription float" and replace it with "Corp Users". I save the file with the same name (we can actually give it the name you want, it does not matter).

  4. Import the modified OnLoad.js script back into the web theme.
    I import the script back into the web theme:

    Set-AdfsWebTheme -TargetName CorpWebTheme -AdditionalFileResource @{Uri="/adfs/portal/script/onload.js";path="C:\CorpWebTheme\script\onload.js"}

    Once imported you can delete the CorpWebTheme folder. It is no longer used (you imported your JavaScript directly into the ADFS database). And if the webtheme is not the active one, remember to enable it:

    Set-AdfsWebConfig -ActiveThemeName CorpWebTheme

And here is the final result:

hrd_name_4

Let me know how it goes in the comments section!

Comments (5)

  1. Shane says:

    Thanks Pierre, this is a very big help!

    Any recommendations for moving the entry back up to the top of the list as well which was the default in Windows 2012 R2 and earlier?

  2. JanZ says:

    Hi, thanks for this post. I just started to solve the same issue, but in my environment, “Active Directory” is placed as the first option, so script is changing the last CPT.
    What is worst, with multiple CPTs, there is “+” sign in redirect …&RedirectToIdentityProvider=AD+AUTHORITY which causing “page can’t be displayed”. When URI is updated to “AD%20AUTHORITY”, it works.

  3. HI Thanks for this information, really useful.
    Can you share some pointer on how we can reorder iDP providers per our need/design. Being Infra Admin have limited knowledge on JS. 🙂

  4. I Used below code to move Active Directory to Top, everything working fine.

    // begin 2016-01-17 customizations
    // HRD Page changed after upgrading to FBL of 2016
    //Check if we are in the HRD page
    if ( document.getElementById(“hrdArea”) ) {
    //debugger
    var strADCPName = “Corp Users” ;
    //Create an array of all claim provider trust section in the page
    var listAllSpanForIdp = document.getElementsByClassName(“idpDescription float”) ;
    //
    if(listAllSpanForIdp.length==4){
    var parent = document.createElement(“div”);
    document.getElementById(“bySelection”).append(parent);
    parent.append(listAllSpanForIdp[0].parentNode);
    parent.append(listAllSpanForIdp[1].parentNode);
    parent.append(listAllSpanForIdp[0].parentNode);
    }else if(listAllSpanForIdp.length==3){
    var parent = document.createElement(“div”);
    document.getElementById(“bySelection”).append(parent);
    parent.append(listAllSpanForIdp[0].parentNode);
    parent.append(listAllSpanForIdp[1].parentNode);
    }

    var inc;
    for (inc = 0; inc < listAllSpanForIdp.length; inc++) {

    if ( listAllSpanForIdp[ inc ].innerHTML == "Active Directory” ) {
    //Change the HTML content of the matching section to the value specified in the strADCPName variable
    listAllSpanForIdp[ inc ].innerHTML = “”+ strADCPName +”” ;
    //document.getElementById(“bySelection”).prepend(listAllSpanForIdp[inc].parentNode);
    }

    }
    }

    1. Hi,

      Regarding the reordering, why are you looking for a length of 4 or 3? What is so special about the 3 or 4 length?
      The list of IdPs in general is dynamic as you may add or remove an IdP. The code should take that into account
      In addition, per RP trust you can also specify a list of IdP that are allowed to use that Rp trust and that list is a subset of the overall list of IdPs. Again, the code should take that into account.
      It should not matter how long the IdP list is

      Is it possible to make this dynamic where the logic is something like:
      * if more than 1 IdP is listed and the AD IdP is included, then move that IdP to the top.

Skip to main content