Federating IdentityServer with Windows Azure Active Directory

Vittorio describes here in great detail how to provision a WAAD tenant as an identity provider in an ACS namespace. Since we are all using the same technology under the bonnet, this should also work with IdentityServer – and it does.

Make sure to read Vittorio’s post first – the differences are as follows:

1 The provisioning script

The reply URL points to the HRD endpoint:

$replyUrl = New-MsolServicePrincipalAddresses –Address “https://server/issue/hrd

..and the service principal uses the configured IdSrv issuer URI:

New-MsolServicePrincipal –ServicePrincipalNames @(“http://identityserver.v2.thinktecture.com/trust/changethis “) -DisplayName “IdSrv” -Addresses $replyUrl

2 IdentityServer configuration

On the IdSrv side, you need to add a new identity provider – I got the values for WS-Federation Endpoint and Issuer Thumbprint from the WAAD federation metadata document (see Vittorio’s post), e.g.

https://accounts.accesscontrol.windows.net/tenant_id/v2/wsfederation

and

3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE0

image

Have fun ;)

This entry was posted in Azure, IdentityServer. Bookmark the permalink.

9 Responses to Federating IdentityServer with Windows Azure Active Directory

  1. Pingback: Windows Azure Community News Roundup (Edition #56) - Windows Azure Blog

  2. Geoff says:

    I can’t seem to find the issuer thumbprint in the fed metadata. Any ideas?

    • I think they are using the same cert for all tenants. So it should be the same as in my blog post. Otherwise re-create the cert from metadata and have a look there.

  3. Hi there, where is the ability to add an identity provider in version 2 of the STS?

  4. You need to enable “federation” in the WS-Federation protocol settings.

  5. I see the following only

    •General Configuration
    •Key Configuration
    •Protocols
    •Diagnostics
    •Application Recycle
    •Relying Parties & Resources
    •OAuth Clients
    •Roles
    •Users
    •Identity Delegation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s