I'm using ADFS 3.0 on Windows Server 2012 R2
I'm setting up ADFS for federation across several organizations. I've got a single ADFS instance in my org that has claim providers trusts to other ADFS instances external. The overall experience is good and functional, except that when I'm at the ADFS login page, all claim providers are listed. I need to narrow this down, because we cannot show all of them.
My first thought was to inject a javascript into the onload, and do a quick redirect, however, savvy users will still have access to the full list of providers through networking tools like Fiddler.
I'm not leaning toward adding a relying partner trust to my app for each claim provider, and using some business logic in my app to send the user to an appropriate url that will have a shorter list. This is more of a maintenance headache, though.
Any thoughts on how this should be achieved? In ADFS 2.0, you could manually edit the aspx to take care of this.
You can enable an organizational suffix on each CP trust using set-adfsclaimsprovidertrust cmdlet and the OrganizationalAccountSuffix parameter. https://technet.microsoft.com/en-us/library/dn479371.aspx has details of cmdlet. This is available in 2012 R2 AD FS onwards. See https://technet.microsoft.com/en-us/library/dn280950(v=ws.11).aspx too.
Then when users end up accessing AD FS and a HRD is required, they wont see the CP list but will be asked to enter a UPN. based on the suffix, they are redirected.