ADFS Onload.js - ADFS Automation of Identity Provider Selection based on Device Type
Microsoft's Active Directory Federation Services (ADFS) is a great solution that has been implemented throughout many organisations that utilise Microsoft's Active Directory. The product is built into the existing Microsoft Server deployments as an add-on and is quite flexible when it comes to customisation when being compared to newer platforms such as Azure Active Directory.
Whilst this information may be considered obsolete as many of these organisations move from on-premise to cloud-based identity providers (e.g. Azure AD or OKTA) the usage of additional claims providers allows administrators to specify the authentication methods on an per-application, per-domain or even per-device-type basis.
After working with the VMware Identity Manager product, ADFS was still the primary IdP for many. This article post will walk through how forward certain device types to an additional non-ADFS claims provider thanks to changes in ADFS from ADFS version 3.0 onwards.
ADFS 3.0 introduced the ability for administrators to customise the javascript that's used by all devices & users when hitting the Home Realm Discovery screen. This is really useful since ADFS does not have the finetuning capability for contextual selection via the standard ADFS settings.
Below are some example Javascript inputs that an administrator can put into their 'Onload.js' script to automate selection of Identity Provider based on Device OS / Device Type.
Before you start with the below, check out Microsoft's detailed article on 'Advanced Customization of AD FS Sign In Pages'
Automatically select Active Directory for Desktop Devices but still display Claims Provider selection for Mobile Devices:
// Automatically select Active Directory for Desktop Devices
if (navigator.userAgent.match(/Windows NT|Macintosh|Linux/i) != null) { HRD.selection('AD Authority')};Automatically select Additional Claims Provider for Mobile Devices but still display Claims Provider selection for Desktop Devices:
// Automatically select Additional Claims Provider for Mobile Devices
if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) != null) { HRD.selection('https://claimsprovider.com/replacethisurl.xml')};Automatically select 3rd Party Claims Provider for Mobile Devices and Active Directory for Desktop Devices:
// Automatically select Additional Claims Provider for Mobile Devices and Active Directory for Desktop Devices
if (navigator.userAgent.match(/iPad|iPhone|Android|Windows Phone/i) != null) { HRD.selection('https://claimsprovider.com/replacethisurl.xml')}; else {HRD.selection('AD AUTHORITY')};Hope this code comes in handy for any VMware Identity Manager or ADFS administrators out there!
Updates to this code can be found via my github