Tip of the Day: ADFS Home Realm Discovery Enhancements

  • Article

Today’s Tip…

In 2.x, users would have to choose their IDP from a drop down list.  This posed a few issues.  If there were a large number of IDPs, it may be difficult to find the correct one, especially if they are unsure of the correct name.  Choosing the wrong one would result in a poor experience, requiring a manual clearing of their cookies.

The PG really enhanced the Home Realm Discovery experience in AD FS in 2012 R2, especially for larger service providers. 

  • "Local" users can bypass home realm discovery. 

If the user is not going through the proxy, the administrator can set a flag to bypass home realm discovery and assume they are using the local Active Directory store to authenticate.

clip_image001

Administrators can register UPN suffixes for each IDP.

The net result of this is that users can enter their UPN (or email address) into a web form, and based on the suffix, AD FS will automatically direct the user to the correct IDP.

Administrators can register specific IDPs with each relying party.

The result of this is that the home realm discovery list will only contain IDPs that use the particular application.