How to Stop Relaying Party showing up in idpinitiatedsignon page

Welcome back!!

Got new security finding that ADFS 3.0 IDP Initiated Signon page displays all the applications integrated with ADFS. We call these applications as Relay Parties or Service providers in ADFS Terminology.

Why it shows up there?
The Relying Party Trusts which are showing in the IDPInitiatedsignon are the ones using the SAML Federation Protocol. As long as the relay party trust has a SAML Assertion Consumer Endpoint, it will show up in the list of RP available for IDP initiated logon.

How to stop showing them on the IDP Initiatedsignon page?

in Server 2016 ADFS, It is direct to disable IDPInitiatedsignon page, By default it is disabled.
wherein if you have ADFS 3.0 which is Server 2012 R2 does not have an option to disable the IDPIniated Page. But we can stop showing the Relay Parties(RPs). We need to follow some theme level changes. below are the commands and procedure to get this done.

1. Run the command Get-ADFSWebTheme to validate how many themes do you have in your infra

2. Validate which is being used as the current theme and export the theme using the command
Export-AdfsWebTheme -Name Current -DirectoryPath c:\Currenttheme

3. once exported the current theme, Goto the Exported path and script folder, you can find a file called onload.js
Ideally, we are going to do java code level change to stop showing the relay parties.

4. Right click on onload.js and open in notepad. copy the below text and paste on the

//To disable Relay party information in the IDPInitiatedsignon.aspx page
var checkidp_OtherRpPanel = document.getElementById(‘idp_OtherRpPanel’) ;
if ( checkidp_OtherRpPanel ) {
checkidp_OtherRpPanel.style.display = ‘none’ ;
}

5. Once changes are applied, Run the below command to apply the changes to the current theme
Set-AdfsWebTheme -TargetName Current -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path=”c:\Current\script\onload.js”}

Above command, applies the changes to the Current Onload.js and updated the Jave script codes which we modified.

6. Restart the ADFS Service post applied the changes using the below command.
Restart-Service -Name adfssrv

This can be done using the services.msc as well. Post Service restarted login to the ADFS IDP Initiated Signon Page.

Before the changes:

Leave a Reply

Your email address will not be published. Required fields are marked *