Adding Windows Azure AD (GA) as an Identity Provider in IdentityServer

Things have slightly changed between releases of WAAD, so I thought I quickly document the steps how to add the GA version of WAAD as an identity provider to IdentityServer.

If we would support parsing WS-Federation metadata, this could be much simpler – but right now we don’t, so I show you the manual way (and a little ninja trick).

1) Add a new application to WAAD
Add the application to your WAAD from the Azure portal.


2) Configure WS-Federation
The App ID is the IdentityServer’s Site ID (from the General tab in the admin area) and the reply URL is IdentityServer’s HRD endpoint.


3) Add WAAD to IdentityServer
This is the tricky part. All the information you need is in WAAD’s metadata. You can access the metadata from the application configuration/endpoints page in the Azure portal. The URL is something like:

In that document you can find two things – the WS-Federation endpoint URL and the signing key.


The ninja trick: You can copy and paste the X.509 certificate to a text editor and save it as a .cer file. Now you can double click it in Explorer and get the usual certificate view, from the details pane you can copy the thumbprint.

Enter these two value into IdentityServer’s identity provider configuration:


That’s it! HTH

This entry was posted in IdentityServer. Bookmark the permalink.

7 Responses to Adding Windows Azure AD (GA) as an Identity Provider in IdentityServer

  1. Pingback: Windows Azure Community News Roundup (Edition #70) - Windows Azure Blog

  2. Pingback: Windows Azure 社区新闻综述(#70 版) - 微软云计算: Windows Azure 中文博客 - Site Home - MSDN Blogs

  3. panesofglass says:

    That’s great! Is it possible to specify the provider when making a call, similar to the way one might customize the ACS HRD page?

  4. WAAD does not have the concept of a provider or HRD.

  5. panesofglass says:

    I meant that I would like to create my own sign in page and forward requests to IdSrv by specifying the identity provider to use. Is that possible?

  6. Well – you can write – everything is possible.

    But IdSrv (and any other IdP) is not designed that way. The point is user should only type in their password into the pages they belong to.

    • panesofglass says:

      I am clearly not getting my thoughts across. Thank you for your patience. ACS allows you to download their providers listing page and customize it. The default page assumes HRD, so you are presented with an email address input that then forwards you to the appropriate IdP signin page. I’m looking for something similar with IdSrv. Can I retrieve a listing of providers from IdSrv so that I an do a lookup in a custom form and forward directly to the provider? Auth0’s service provides this same sort of thing in the headless version of their login widget (, see the JavaScript API sample).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s