Customizing ADFS 3.0 Sign-in Page


Introduction

In ADFS 3.0 (aka ADFS in Windows Server 2012 R2) customization of Sign-in page is quite different from the earlier versions of ADFS. This post gives an overview of Sign-in page customization in ADFS 3.0.

Customization Options

In ADFS 3.0 there is no dependency on IIS. Hence, there is no IIS available in the ADFS 3.0 Server. Because of this, you do not have any .aspx or .master page in the file system which you can go ahead and edit directly to apply the customizations you need.

In this version of ADFS 3.0, any customization should be done by using PowerShell commands and all the customizations are stored in the ADFS configuration database instead of file system. The advantage is that there is no need to update the files in individual ADFS instances in a farm kind of scenario. Execute the PowerShell commands once and all the ADFS instances in the farm are reflected with the customizations.

Figure: General Sign-in page ADFS 3.0

There are two options for customizing the sign-in page.

Customizing Logo, Footer Links, Sign-in description using PowerShell commands

  • PowerShell commands for customizing individual parts of the sign-in page are documented in Microsoft TechNet article - https://technet.microsoft.com/en-in/library/dn280950.aspx
  • Though these PowerShell commands give you quick way to customize Logos and descriptions, sometimes you might need to customize the entire theme of the sign-in page by applying new styles.
  • I had a similar requirement to completely change the look of sign-in page. As we don't have much control using this option of customization, I had used the second option - using Custom Web Themes to customize sign-in page.

Custom Web Themes

Using this option of customizing the sign-in page gives you much control since you now have control of the CSS and JavaScript files used in the sign-in page. The final sign-in page after applying custom web theme looks as below.

Figure: ADFS 3.0 Sign-in page after applying custom web theme

Custom web theme allows us to customize the CSS Style Sheet, Logos, and JavaScript file which are used in the construction of Sign-in page. Below is the procedure to build a custom web theme.

  1. Export the files used in Default web theme of ADFS. Default web theme comes by default out-of-box with ADFS.

            Export-AdfsWebTheme –Name default –DirectoryPath c:\custom-theme

  1. Create a new theme and name it as you like (Ex: custom-theme)

   New-AdfsWebTheme -Name "custom-theme" -SourceName default

  1. Now, edit the files exported in Step-1. You can edit style.css, onload.js and add images. The theme folder structure is as below: 

ThemeRoot

        |-css

            |-style.css

            |-style.rtl.css

        |-images

            |-logo.png

        |-script

            |-onload.js 

  1. After modifying the logo, you can apply it to the custom-theme using the PowerShell command below. 
Set-AdfsWebTheme -TargetName "cusotm-theme" -Logo @{Locale="";path="C:\custom-theme\images\logo.png"}
  1. After modifying the style sheet (style.css and style.rtl.css) apply the same to the new theme.

 Set-AdfsWebTheme -TargetName "custom-theme" -StyleSheet @{Locale="";path="C:\custom-theme\css\style.css"} -RTLStyleSheetPath "C:\custom-theme\css\style.rtl.css"

  1. After modifying the JavaScript file (onload.js) apply the same to the new theme.

 Set-AdfsWebTheme -TargetName $ThemeName -AdditionalFileResource @{Uri="/adfs/portal/script/onload.js";path="C:\custom-theme\script\onload.js"}

  1. And finally activate the new custom theme in ADFS to start seeing the changes

 Set-AdfsWebConfig -ActiveThemeName "custom-theme"

  1. If you are not satisfied with the changes you have done, update the files again and apply them to the custom-theme as mentioned in the above steps. 

  

Comments (21)
  1. MC says:

    Is there a way to have multiple custom login pages? We have different external applications and each needs to have different branding

    1. ivan says:

      I know this post is super late, but figured I would post it anyway. Not sure if you are asking whether each RP can have its web theme. If yes, then this is possible in Windows Server 2016. https://technet.microsoft.com/itpro/powershell/windows/adfs/set-adfsrelyingpartywebtheme

  2. Paul says:

    I have the same question as MC. Is this possible?

  3. @ MC, Paul – No, We can't have multiple custom login pages with Active Directory being the claims Provider. Alternative is to use custom claims provider with its own login page.

  4. Imran says:

    How did you change someone@exaple.com to domainusername?

  5. Sampath Kumar Kamati says:

    I have changed  someone@example.com to domainusername by using the JavaScript code in onLoad.js file. Below is the code:

    // Code to change "someone@example.com" placeholder in userName input text box.

    var userNameInputTextBox = document.getElementById('userNameInput');

    if (userNameInputTextBox) {

       var placeholderText = 'Domain\Username';

       if (userNameInputTextBox.placeholder)

           userNameInputTextBox.placeholder = placeholderText;

    1. Joseph says:

      This code is not compatible with the one published by microsoft here (under example 2):

      https://technet.microsoft.com/en-us/library/dn636121.aspx

      Do you know if there is a way to get the overall look and feel you got, while at the same time have example 2 working?

      1. Justin Grote says:

        Joseph,

        The problem with the code above is it is missing a trailing }. If you add that at the end it works fine.

        Recommend you use Chrome after implementing the onload.js and hitting F12. It will tell you all the Javascript errors that may be occurring and where, and is invaluable when implementing these kinds of customizations.

  6. Manju says:

    Is this customization (Custom Web Themes ) available for cloud also?

  7. Mr. Typo Finder says:

    Typo on step #4 cmd.

  8. payam says:

    i want to change the copyright text at the bottom of page. please help me to change that text

  9. Ken Watts says:

    Can you provide the sources (css/js/png) that you used in this example? That would be helpful in determining how you re-positioned the logo and text boxes. Thanks!

  10. Mike Smith says:

    I’m trying to use the onload.js modifications:

    // Sample code to change “Sign in with organizational account” string.

    // Check whether the loginMessage element is present on this page.
    var loginMessage = document.getElementById(‘loginMessage’);
    if (loginMessage)
    {
    // loginMessage element is present, modify its properties.
    loginMessage = ‘Sign in with your email account’;
    }
    // Code to change “someone@example.com” placeholder in userName input text box.

    var userNameInputTextBox = document.getElementById(‘userNameInput’);

    if (userNameInputTextBox) {

    var placeholderText = ’email.address@mydomain.com’;

    if (userNameInputTextBox.placeholder)

    userNameInputTextBox.placeholder = placeholderText;

    I update it in the custom theme I made in c:\theme

    PS C:\Windows\system32> Set-AdfsWebTheme -TargetName custom -AdditionalFileResource @{Uri=”/adfs/portal/script/onload.js”;path=”C:\theme\script\onload.js”}
    PS C:\Windows\system32> Set-AdfsWebConfig -ActiveThemeName “custom”

    I can see my code in the view source, but the dang elements didn’t change.

    Hoping you may have some insight. I changed it back to “default” theme for now.

    1. Can you check if there are any JavaScript errors on the browser’s console window? I suspect the first code block in which you are trying to alter the login Message. You are assigning a string value to element which I guess is not allowed.

      The below lines should be used to alter the loginMessage:
      // Code to change “Sign in with organizational account” string.
      // Check whether the loginMessage element is present on this page.
      var loginMessage = document.getElementById(‘loginMessage’);
      if (loginMessage) {
      // loginMessage element is present, modify its properties.
      loginMessage.innerHTML = ‘Sign in with your email account’;
      }

  11. Radoslaw says:

    Is there any way to check some AD account properties after bind to AD, then perform custom logic on server side and finally proceed with logon or just deny (depending on propertioes of the user AD account) ? Previously it was possible to modify server side aspx logon page. Now it seems to be impossible.

  12. chidammani says:

    Can some one help on importing Style.css templates from internet & used for custom theme. If so, please share any tutorials/article pages. Thanks

  13. Bonnie Chavez says:

    Do not use the .png use .jpg instead I had issues with Office365 and Shibboleth

  14. Chris says:

    This is very helpful. The problem I have is that I cannot get the page to update the illustration on the sign-in page of my custom theme, nor can I get the copyright date removed. All directions are followed and I can confirm the existing theme is my custom theme. The logo has changed successfully, but the illustration does not. I’ve modified the style.css file to ignore the copyright text, too. I have run the set-webconfig command to complete the process, but the only change I see on the ADFS log-in page is the logo. I may be missing something obvious, but I’m stumped.

  15. Paul says:

    “In ADFS 3.0 there is no dependency on IIS. Hence, there is no IIS available in the ADFS 3.0 Server. Because of this, you do not have any .aspx or .master page in the file system which you can go ahead and edit directly to apply the customizations you need.”

    This is worse as now you have no means to be able to change the HTML structure of the page to truly customize it. Sure you can hide things via css, or possible go as far as injecting new page elements through javascript via the onload.js file they allow you to use, but that’s pretty ugly to do when it would be so much easier to just alter some html directly.

    Really disappointed that Microsoft has locked down customization so much. This “corporate” look and feel doesn’t fly when you’re wanting to use ADFS in an education environment for students or for any demographic other than corporate users. Not to mention the unfriendliness of the validation and lack of being able to directly reference other javascript libraries to provide a better user experience.

    Seriously, who thought forcing someone to write hacky CSS and hacky javascript to alter the html structure of a page just to get it to the way they want it to look versus simply allowing one alter the html structure directly, was a good idea? As long as one leaves the direct username and password fields the same and the button

    1. Paul says:

      sorry forgot to finish my thought… “As long as one leaves the direct username and password fields the same and the button” /form action the same along with any other element they want to be there, it shouldn’t matter how the structure is changed otherwise.

  16. Michael says:

    Is it possible to customize the idpinitiatedsignon page on Saml logout so that it doesn’t show all of the sign in sites or just remove that sign in option all together for logout?

Comments are closed.

Skip to main content