Branding your Hybrid Identity Solution, Part 4: Active Directory Federation Services

Reading Time: 3 minutes

BrandingActive Directory Federation Services (AD FS) plays a huge part in your Hybrid Identity implementation. For colleagues using their domain credentials on domain-joined devices located on-premises , through Kerberos, they gain Single Sign-On (SSO) access to web apps your organization uses. For roaming colleagues, AD FS offers Single Sign-On on a per browser session basis, using their domain credentials.

Note:
Single Sign-On access for colleagues, using devices from the Internet, can be extended beyond the browser session, using VPNs, DirectAccess, AD FS Device Registration and/or AzureAD Join

Most colleagues using stationary Windows devices located on-premises, will probably never see the Active Directory Federation Services (AD FS) login pages. For the other scenarios it is a recommended practice to apply branding to the Active Directory Federation Services (AD FS) login pages using the built-in options.

Using the built-in options, you can:

  • Change the company name
  • Change the company logo
  • Change the illustration on the left side of the login pages
  • Replace the sign-in description underneath the Sign in button
  • Add a Home link to the footer
  • Add a Privacy link to the footer
  • Add a Help link to the footer
  • Define custom error message to replace the default error message

All these customization can be performed using the Set-AdfsWebTheme and Set-AdfsGlobalWebContent PowerShell Cmdlets.

Note:
While we used the Azure Portal in this series to brand the Azure Active Directory Logon Pages, AD FS does not offer a method to change it through the GUI. No problem, because PowerShell allows for code review. Knipogende emoticon

 

Setting up branding

Before you can go apply branding, we’ll need to set some things up.

Since the graphical resources used to brand Active Directory Federation Services (AD FS) have to be on the disk of the AD FS Servers, you’ll need to create a folder with these resources.

By default, I create a D:\ADFSResources\ folder.

Note:
In an environment with multiple Active Directory Federation Services (AD FS) Servers, acting as Security Token Servers (STSs), you need to provide access to the graphical resources on only one of these servers.

 

Applying default branding

To apply the default branding, follow these steps:

Change the company name

While the Company name is configured when the Active Directory Federation Services (AD FS) implementation was first conceived, it might not suit your needs today, to change it, use the following Windows PowerShell one-liner:

Set-AdfsGlobalWebContent -CompanyName "Berkouwer"

Replace the text between the quotes with your own company name. When you change the company logo (see below) the company name becomes the tooltip for the logo illustration.

Change the Company logo

To change the company logo, or add a company logo to replace the company name, place the graphical resource in the folder you created and run the following Windows PowerShell one-liner:

Set-AdfsWebTheme -TargetName default -Logo
@{path="D:\ADFSResources\CompanyLogo.png"}

Replace the text between the quotes with the location and name of your picture.

Change the illustration

To change the illustration on the left side of the Active Directory Federation Services (AD FS) Sign-in page, place the graphical resource in the folder you created and run the following Windows PowerShell one-liner:

Set-AdfsWebTheme -TargetName defaultIllustration
@{path="D:\ADFSResources\Illustration.png"}

 

Replace the text between the quotes with the location and name of your picture.

Add a disclaimer

The Sign-in page description allows for a perfect method to add a disclaimer to interactive logons using the Active Directory Federation Services (AD FS) pages.

Set-AdfsGlobalWebContentSignInPageDescriptionText "<p>Your Disclaimer text here.</p>"

Note:
While the Sign-in page text text for the Azure Active Directory Logon pages, do not support HTML tags, the text for the Active Directory Federation Services Logon pages do.

 

Applying per-language branding

For Hybrid Identity implementations, supporting multiple languages and requiring language-specific settings, the Active Directory Federation Services (AD FS) Logon pages support language-specific customizations.

For instance, the following Windows PowerShell one-liners configure the language specific disclaimer for people using Dutch browser language settings:

Set-AdfsGlobalWebContent SignInPageDescriptionText "<p>Jouw Nederlandstalige disclaimer tekst hier.</p>"  –Locale "nl"

You can override the default values for any or all of the customization above for people using specific browser language settings.

The following Windows PowerShell one-liner provides an overview of all the customizations per language to the Active Directory Federation Services (AD FS) implementation:

Get-AdfsGlobalWebContent

 

Concluding

Customizing the Active Directory Federation Services (AD FS) Logon pages is not hard, but you have to know what you’re doing.

Further reading

Customizing the AD FS Sign-in Pages
AD FS User Sign-in Customization
ADFS 3.0 Logon Page Customization
Customizing ADFS 3.0 Sign-in Page
D FS Customization in Windows Server 2016

Posted on March 14, 2017 by Sander Berkouwer in Active Directory Federation Services, Best Practices

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.