Tip of the Day: ADFS Home Realm Discovery Enhancements

Today’s Tip…

In 2.x, users would have to choose their IDP from a drop down list.  This posed a few issues.  If there were a large number of IDPs, it may be difficult to find the correct one, especially if they are unsure of the correct name.  Choosing the wrong one would result in a poor experience, requiring a manual clearing of their cookies.

The PG really enhanced the Home Realm Discovery experience in AD FS in 2012 R2, especially for larger service providers. 

  • "Local" users can bypass home realm discovery. 

If the user is not going through the proxy, the administrator can set a flag to bypass home realm discovery and assume they are using the local Active Directory store to authenticate.


Administrators can register UPN suffixes for each IDP.

The net result of this is that users can enter their UPN (or email address) into a web form, and based on the suffix, AD FS will automatically direct the user to the correct IDP.

Administrators can register specific IDPs with each relying party.

The result of this is that the home realm discovery list will only contain IDPs that use the particular application.

Comments (4)

  1. Mohan says:

    How to bypass HRD in ADFS2.x?

  2. Lars Forsgren says:

    Found it.
    Set-AdfsClaimsProviderTrust -TargetName ‘Claims providername’ -OrganizationalAccountSuffix @("maildomain.com";"secondmail.com")
    Revert with
    Set-AdfsClaimsProviderTrust -TargetName ‘Claims providername’ -OrganizationalAccountSuffix $null

  3. Lars Forsgren says:

    Not such a good tip when there’s no example how to create those examples.
    "Administrators can register UPN suffixes for each IDP", how?
    Administrators can register specific IDPs with each relying party., how?

  4. Anonymous says:

    Hi Robert, wer can i find more about this Topic. We are a Service Provider and want to do this like you mention.

    The Userexperiance should be exact to Azure Login 😉 We do AzurePack…

Skip to main content