Hide Claims Provider Trusts in ADFS 4.0

  • 19 Views
  • Last Post 3 weeks ago
favvojohan posted this 4 weeks ago

Hi, We use two different national federated IdP’s to establish new students in our local AD (short story: if they can logon there and the IdP’s give us the correct eduPersonAssuranceLevel back, we trust them and they can provide a password for the local AD account).  It’s time for us to renew the process and want to use our ADFS 4.0 as SP. We can add these IdP’s as Claims Provider Trusts, and that will probably work, but then they show up for ­all or other RP’s (2000+) and that’s not good.  Does anyone know a way to hide them for all RP’s? Our plan is to use direct links with ‘RedirectToIdentityProvider’ pointing to one of these IdP’s so we don’t need/want them to show up on the sign-in page on the ADFS. Thx! Best regards
Johan Peterson
IT-Architect

Linköping University
IT Department
s-581 83 Linköping
Phone: +46 (0)13-28 57 30
Mobile: +46 (0)703 222 405
Visiting address: Galaxen Building
Please visit us at www.liu.se
  

Order By: Standard | Newest | Votes
kool posted this 4 weeks ago

Hi Johan,

 

I don’t believe this can be done across-the-board for all RPs. You have to use PowerShell per-RP. A typical command would look like:

 

Set-AdfsRelyingPartyTrust -TargetIdentifier "urn:federation:MicrosoftOnline" -ClaimsProviderName @("UW NetID Sign-in")

 

Being PowerShell, you could of course enumerate all of your RPs and pipe the Identifier into the above command.

 

Cheers,

 

> Eric

 

show

favvojohan posted this 3 weeks ago

Hi Eric, Thx for answering. :)I was hoping on a way to make a Claims Provider Trust the default provider and therefore hide the other CPT’s, but this is a way forward to.  Best regards
Johan Peterson
IT-Architect

Linköping University
IT Department
s-581 83 Linköping
Phone: +46 (0)13-28 57 30
Mobile: +46 (0)703 222 405
Visiting address: Galaxen Building

show
  From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Eric C Kool-Brown
Sent: den 1 juli 2017 01:15
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Hide Claims Provider Trusts in ADFS 4.0 Hi Johan, I don’t believe this can be done across-the-board for all RPs. You have to use PowerShell per-RP. A typical command would look like: Set-AdfsRelyingPartyTrust -TargetIdentifier "urn:federation:MicrosoftOnline" -ClaimsProviderName @("UW NetID Sign-in") Being PowerShell, you could of course enumerate all of your RPs and pipe the Identifier into the above command. Cheers, > Eric From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Johan Peterson
Sent: Friday, June 30, 2017 7:14 AM
To: 'activedir@xxxxxxxxxxxxxxxx' <activedir@xxxxxxxxxxxxxxxx>
Subject: [ActiveDir] Hide Claims Provider Trusts in ADFS 4.0 Hi, We use two different national federated IdP’s to establish new students in our local AD (short story: if they can logon there and the IdP’s give us the correct eduPersonAssuranceLevel back, we trust them and they can provide a password for the local AD account).  It’s time for us to renew the process and want to use our ADFS 4.0 as SP. We can add these IdP’s as Claims Provider Trusts, and that will probably work, but then they show up for ­all or other RP’s (2000+) and that’s not good.  Does anyone know a way to hide them for all RP’s? Our plan is to use direct links with ‘RedirectToIdentityProvider’ pointing to one of these IdP’s so we don’t need/want them to show up on the sign-in page on the ADFS. Thx! Best regards
Johan Peterson
IT-Architect
Linköping University
IT Department
s-581 83 Linköping
Phone: +46 (0)13-28 57 30
Mobile: +46 (0)703 222 405
Visiting address: Galaxen Building
Please visit us at www.liu.se
  

Close