Configuring Azure AD as an Identity Provider in ACS

19 July 2013

There have been some big improvements recently in the ease of configuring applications to authenticate using Azure AD. It is now possible to manage configuration of your applications through the Azure portal as part of managing Azure AD.

There are lots of tutorials on how to set up Azure AD to work with your apps.

There is also lots of information on using ACS to work with Google, Facebook, Yahoo, Microsoft accounts and on premise AD FS 2.0.

Where there is a slight gap is for the scenario where you want to authenticate your users using Azure AD through ACS. The app I am building allows users to register using a Microsoft account or a Google account but we also want to add Azure AD to allow organizations to take advantage of single sign on using their own organisation AD credentials.

I am starting from a position where my web app is already configured to use ACS and is happily authenticating users with Microsoft and Google accounts.

To also include Azure AD in the identity provider mix is a three step process:

1. Configure ACS

In ACS select Identity Providers and click Add

Leave the default selection of WS-Federation identity provider and click Next

Enter a display name and then get the url for your Azure AD WS-Federation metadata. This can be found here https://login.windows.net/[myTenantName].onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml - replacing [myTenantName] with whatever your tenant name is.

Enter some login link text - this is what will be displayed when your user is selecting the IP they want to use.

Select the relying party applications you want to make the Azure AD IP available for and then hit save.

In the rule group for your relying party application you will need to add a new rule to pass through claims from Azure AD (or do whatever transformations are appropriate)

2. Configure your application in Azure AD

This step is only really necessary if you want to make the app available to external users or you want to enable your app to read or write directory data. If you only require straight authentication this step could be skipped.

Login to the Azure portal and In the applications tab of your Azure AD directory click Add

Follow the wizard and fill in the fields as relevant for your app

3. Provision a service principal in the directory tenant for the ACS namespace

After completing the first two steps I was getting the following error when logging into my app using Azure AD as the IP:

HTTP Error Code:400

Message:ACS50000: There was an error issuing a token.

Inner Message:ACS50001: Relying party with identifier 'https://[mynamespace].accesscontrol.windows.net/' was not found

The solution is to provision a service principal in the AD tenant for your ACS namespace. This is the bit that took me some time to figure out as it looks like it is still something that can only be done using PowerShell. Hat tip to Ross Dargan for suggesting this could be the issue.

For a full explanation see Vittorio Bertocci's post but the crucial bit you need is this (remember to replace the urls with your ACS namespace):

 1: 

Connect-MsolService

 2: 

Import-Module

 MSOnlineExtended -Force
 3: 

$replyUrl

 = 

New-MsolServicePrincipalAddresses

 –Address "https://lefederateur.accesscontrol.windows.net/"
 4: 

New-MsolServicePrincipal

 –ServicePrincipalNames
         @(

“https://lefederateur.accesscontrol.windows.net/”

) 
         -DisplayName 

“LeFederateur ACS Namespace”

         -Addresses 

$replyUrl

 

Once those steps are complete you should be able to start up your app and select Azure AD as the IP option and sign in using your Azure AD account.