Federating IdentityServer with Windows Azure Active Directory

Vittorio describes here in great detail how to provision a WAAD tenant as an identity provider in an ACS namespace. Since we are all using the same technology under the bonnet, this should also work with IdentityServer – and it does.

Make sure to read Vittorio’s post first – the differences are as follows:

1 The provisioning script

The reply URL points to the HRD endpoint:

$replyUrl = New-MsolServicePrincipalAddresses –Address “https://server/issue/hrd “

..and the service principal uses the configured IdSrv issuer URI:

New-MsolServicePrincipal –ServicePrincipalNames @(“http://identityserver.v2.thinktecture.com/trust/changethis “) -DisplayName “IdSrv” -Addresses $replyUrl

2 IdentityServer configuration

On the IdSrv side, you need to add a new identity provider – I got the values for WS-Federation Endpoint and Issuer Thumbprint from the WAAD federation metadata document (see Vittorio’s post), e.g.

https://accounts.accesscontrol.windows.net/tenant_id/v2/wsfederation

and

3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE0

Have fun ;)

This entry was posted in Azure, IdentityServer. Bookmark the permalink.

12 Responses to Federating IdentityServer with Windows Azure Active Directory

Pingback: Windows Azure Community News Roundup (Edition #56) - Windows Azure Blog
Geoff says:

March 8, 2013 at 17:50

I can’t seem to find the issuer thumbprint in the fed metadata. Any ideas?

- Dominick Baier says:
  
  March 11, 2013 at 17:07
  
  I think they are using the same cert for all tenants. So it should be the same as in my blog post. Otherwise re-create the cert from metadata and have a look there.
  
Nicholas Pateman says:

July 16, 2013 at 16:09

Hi there, where is the ability to add an identity provider in version 2 of the STS?

- Dominick Baier says:
  
  July 16, 2013 at 18:28
  
  In the admin area…https://vimeo.com/51666379
  
  - Nicholas Pateman says:
    
    July 17, 2013 at 11:42
    
    Hey Dominick, thanks for the reply, I don’t see half the menu items that you have in that video. Any idea how to get them to display? I’ve tried the latest source “release” and also the source from git hub master, both haven’t show the identity providers menu item in administration for me.
Dominick Baier says:

July 17, 2013 at 11:43

You need to enable “federation” in the WS-Federation protocol settings.

- Nicholas Pateman says:
  
  July 17, 2013 at 11:44
  
  Excellent thanks, I enabled that and BAM! Many thanks for your time :)
  
Nicholas Pateman says:

July 17, 2013 at 11:43

I see the following only

•General Configuration
•Key Configuration
•Protocols
•Diagnostics
•Application Recycle
•Relying Parties & Resources
•OAuth Clients
•Roles
•Users
•Identity Delegation

nigeldewartech says:

May 2, 2016 at 01:25

Hi Dom,

Is it possible to use identity server with azure AD to achieve true SSO? As in, when user goes to app, they are not required to enter any username or password, they just go straight through?

Cheers

- Dominick Baier says:
  
  May 2, 2016 at 07:54
  
  yes
  
  - nigeldewartech says:
    
    May 10, 2016 at 03:38
    
    How? can we get an example or blog post on this please?