Directory Programming .NET

How do customize DiscoverClientRealm.aspx so that it only show the realms you wanted and not all of the realms? I wanted to hide some realms that would be accessible directly via the ?whm=realname option from web.config

If you look at the code for discoverclientrealm.aspx, you'll see that the context object for the page has a member that returns a DataTable containing name/value pairs of the display names and realm URIs of each realm in the system.

If you want to show something different or provide a different UI of some sort, you just need to bind a different list to the UI control (the dropdown) that is used to display the information. If you want, you can store alternate configuration information anywhere you want and read it in at runtime to modify the results.

You'll have to invent a schema to show the "correct" list of realms for each application in your system, but you should be able to figure out which app is which by looking at the wreply query string parameter to get the URL of the target.

I hope that helps.

I'd like it a lot if they had this built in. It isn't in v2 either but would be a nice feature. Lots of people want an HRD list that is trimmed by the target relying party/application.

Just as an extra bonus I will explain what I did for a solution to this.

From our system I append an extra query string value that is sent over (always as the very last query string value) to ADFS. Because ADFS will maintain the query strings. In the DiscoveryClientRealm.aspx page I have detect the query string and get the value out (it is a GUID) then it uses the GUID in a simple if statement to automatically detect the client realm. Each client in our web app has a GUID in the database that is used for this and I have to add some code into the DiscoverClientRealm.aspx to specify every time I add a new one, but this prevents the need for the page to show up at all because it will auto detect where they should go. See code in bold below is what I added, just need to make sure the GUID is at the very end of the URL (last query string object).

private void Page_Load(object sender, System.EventArgs e)
{
   
    LSAuthenticationObject LogonServer = LSAuthenticationObject.Current;
    if(null==LogonServer)
    {
        throw new ApplicationException("This page should not be accessed directly.");
    }
    else if (LogonServer.FormContext.CurrentAction != LSFormAction.DiscoverClientRealm)
    {
        StringBuilder sb = new StringBuilder();
        sb.Append("This page has not been called with the correct action.");
        sb.Append(Environment.NewLine);
        sb.Append("Expected Action: DiscoverClientRealm");
        sb.Append(Environment.NewLine);
        sb.Append("Actual Action: ");
        sb.Append(LogonServer.FormContext.CurrentAction.ToString());

        throw new ApplicationException(sb.ToString());
    }
    //Response.Redirect(Request.QueryString["wctx"]);
    if (!IsPostBack)
    {
     
        string returnURL=Request.QueryString["wctx"];
    if(returnURL.EndsWith("xxxxxxx-actual-guid-removed-for-this-demo"))
    {
        LSAuthenticationObject.Current.RedirectToAccountFederationPartner("urn:federation:SOMECOMPANY");
    }

    if(returnURL.EndsWith("xxxxxxx-actual-guid-removed-for-this-demo"))
    {

        LSAuthenticationObject.Current.RedirectToAccountFederationPartner("urn:federation:ANOTHERCOMPANY");
    }

    diagnostic.Text=Request.QueryString["wctx"];

    LSDiscoveryFormContext dc = (LSDiscoveryFormContext)LogonServer.FormContext;
        RealmList.DataSource = dc.DiscoveryTable;
        RealmList.DataTextField = LSDiscoveryFormContext.DisplayNameColumn;
        RealmList.DataValueField = LSDiscoveryFormContext.UriColumn;
        RealmList.DataBind();
    /*diagnostics.DataSource = dc.DiscoveryTable;
    diagnostics.DataTextField = LSDiscoveryFormContext.UriColumn;
    diagnostics.DataBind();*/
    }
}

This might not work for you given your configuration I am not sure if the client ID is known prior to handing off to ADFS but figured I would share anyways just in case.

Thanks for sharing your solution. I think it makes sense given the way your system works. It definitely won't work for everyone but it seems totally valid for what you have.