Skipping the Home Realm Discovery Page in Azure AD
A typical authentication transaction with Azure AD will open with a generic credential gathering page. As the user enters his/her username, Azure AD figures out from the domain portion of the username if the actual credential gathering should take place elsewhere (for example, if the domain is associated with a federated tenant the actual cred gathering will happen on the associated ADFS pages) and if it’s the case it will redirect accordingly.
Sometimes your app logic is such that you know in advance whether such transfer should happen. In those situations you have the opportunity to let our libraries (ADAL or the OWIN middlewares for OpenId Connect/WS-Federation) know where to go right from the start.
In OAuth2 and OpenId Connect you do so by passing the target domain in the “domain_hint” parameter.
In ADAL you can pass it via the following:
AuthenticationResult ar =
ac.AcquireToken("https://developertenant.onmicrosoft.com/WebUXplusAPI",
"71aefb3b-9218-4dea-91f2-8b23ce93f387",
new Uri("http://any"), PromptBehavior.Always,
UserIdentifier.AnyUser, "domain_hint=mydomain.com");
In the OWIN middleware for OpenId Connect you can do the same in the RedirectToIdentityProvider notification:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = (context) =>
{
context.ProtocolMessage.DomainHint = "mydomain.com";
return Task.FromResult(0);
},
}
});
Finally, in WS-Fed you do the following:
app.UseWsFederationAuthentication( new WsFederationAuthenticationOptions { Notifications = new WsFederationAuthenticationNotifications { RedirectToIdentityProvider = (context) => { context.ProtocolMessage.Whr = "mydomain.com"; return Task.FromResult(0); } } } }
Party on! 