Hi,
At this moment I'm doing a project for a large financial customer in The Netherlands who plans to upgrade their AD FS 2.0 farms to AD FS Windows Server 2012 R2 (3.0).
The reason this customer needs to upgrade is because they are going to migrate from SharePoint 2007 to SharePoint 2013 and the last one is using dynamic URL's when you create a SharePoint App. So to federate with AD FS this is only supported in the latest AD FS version.
The customer is using AD FS to federate with all web applications based on SharePoint technology and some other web applications. The customer is also using multiple IdP's (External, Government, Internal, Customers and Stakeholder organizations) for their Relying Party trusts and does not want users to have a selection screen to select the correct IdP before they login. This is called Home Realm Discovery (HRD).
On their current platform they have customized the web.config and created a HomeRealmDiscovery.asp.cs which determines the IP address of the source client and selects the correct IdP when they connect to a Relying Party Trust. This process will be triggered to determine if a user is from an internal client but also to determine if the user is coming from a specific external partner organization. In this case no users will be asked to select their corresponding IdP when they login to an application.
In AD FS 3.0 the HRD process is improved. You can now enable IntranetUseLocalClaimsProvider on the ADFS Properties for the AD FS farm. This solves a part of the problem which will be the determination of internal clients. It however doesn't solve the problem to determine a partner organization based on their IP Address.
The second part of the new HRD improvements (the OrganizationalAccountSuffix which can be set on the AdfsClaimsProviderTrust) aren't much of use in this scenario because not all partner organizations use and will never be using an e-mail address or UPN to login to the application.
I also thought of doing some custom coding in a new Authentication Provider based on the Microsoft.IdentityServer.Web namespace. But I don't know if this will work and how to create this because the namespace is poorly documented for use with AD FS 3.0.
I have found some blog post on the net where a similar scenario is described but they solved it in SharePoint to create a redirect. Since we are not only using SharePoint and we preferably want to have the HRD logic on AD FS and not on the application side this doesn't help very much.
Does anyone have any ideas how we can tackle this issue?
The solution needs to be easy to customize in case new applications need to be added in the future.
ps. I was thinking to do something with a custom authentication provider but I don't know the boundaries of it and if it even possible.
Thanks
Cor
Solution Architect UC, IAM and Cloud Solutions | MCT, MCSE, MCITP | Blog: http://www.reinhard-online.nl | Follow me on twitter: correinhard | Please, feel free to nominate me for MVP @ https://mvp.support.microsoft.com/gp/mvpnominate