ADFS Sign-In Page Customization

If you use ADFS as your primary IdP, you may have noticed that before your users sign in, they have the option to pick the Relying Party they want to sign into under the "Sign in to one of the following sites" radio button. If ADFS is accessible from the internet (which it mostly likely is if you are using Office 365), this is a giant security concern, as it gives an attacker a view into all the external applications your employees use. With the prevalence of credential phishing and social engineering, you want to limit the information an attacker has about the resources your company uses.

Microsoft doesn't have an easy button to change this behavior, but you are able to customize the sign-in page by editing the "onboard.js" file. This technet article explains how to export your onboard.js file: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages

Once exported, I copied the file to my workstation and used notepad++ to edit the file and add this block of code to the bottom of the file:

// Do not show idp_OtherRpPanel or idp_ThisRpPanel if signed out
var IsAuthenticated = document.getElementById('IsAuthenticated');
    if(IsAuthenticated.innerHTML=="False") {
        idp_OtherRpPanel.style.display = 'none';
        idp_ThisRpPanel.style.display = 'none';
}

This looks at the variable 'IsAuthenticated', and if it is False, does not display the list of Relying Parties under the "Sign in to one of the following sites" radio button.

Copy the new onboard.js file to your ADFS server and make the onboard.js active via powershell (step 4 on the technet article). Once applied, your changes will be live, no need to restart the ADFS service.

***Note - This is not foolproof. Although the list of relying parties is hidden, it is still viewable in the HTML source code. I still think this is better than nothing.