Federating IdentityServer with Windows Azure Active Directory

Vittorio describes here in great detail how to provision a WAAD tenant as an identity provider in an ACS namespace. Since we are all using the same technology under the bonnet, this should also work with IdentityServer – and it does.

Make sure to read Vittorio’s post first – the differences are as follows:

1 The provisioning script

The reply URL points to the HRD endpoint:

$replyUrl = New-MsolServicePrincipalAddresses –Address “https://server/issue/hrd

..and the service principal uses the configured IdSrv issuer URI:

New-MsolServicePrincipal –ServicePrincipalNames @(“http://identityserver.v2.thinktecture.com/trust/changethis “) -DisplayName “IdSrv” -Addresses $replyUrl

2 IdentityServer configuration

On the IdSrv side, you need to add a new identity provider – I got the values for WS-Federation Endpoint and Issuer Thumbprint from the WAAD federation metadata document (see Vittorio’s post), e.g.





Have fun ;)

This entry was posted in Azure, IdentityServer. Bookmark the permalink.

12 Responses to Federating IdentityServer with Windows Azure Active Directory

  1. Pingback: Windows Azure Community News Roundup (Edition #56) - Windows Azure Blog

  2. Geoff says:

    I can’t seem to find the issuer thumbprint in the fed metadata. Any ideas?

    • I think they are using the same cert for all tenants. So it should be the same as in my blog post. Otherwise re-create the cert from metadata and have a look there.

  3. Hi there, where is the ability to add an identity provider in version 2 of the STS?

  4. You need to enable “federation” in the WS-Federation protocol settings.

  5. I see the following only

    •General Configuration
    •Key Configuration
    •Application Recycle
    •Relying Parties & Resources
    •OAuth Clients
    •Identity Delegation

  6. Hi Dom,

    Is it possible to use identity server with azure AD to achieve true SSO? As in, when user goes to app, they are not required to enter any username or password, they just go straight through?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s