Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

SAML Protocol Metadata and Endpoints

Published: April 5, 2013

Updated: April 1, 2014

SAML protocol requires the identity provider (Windows Azure Active Directory) and the service provider (the application) to exchange information about themselves. When a service provider is registered with Windows Azure Active Directory, the developer registers federation-related information with Windows Azure Active Directory, including the redirect URI and the metadata URI of the service provider. Windows Azure Active Directory uses the metadata URI of the cloud service to retrieve the signing key and the logout URI of the cloud service. If the service provider does not support a metadata URL, the developer must contact Microsoft support to provide the logout URI and signing key.

Windows Azure Active Directory exposes tenant-specific and common (tenant-independent) single sign-on and single sign-out endpoints. The following table shows the endpoints for each type. The Federation Metadata URLs represent addressable locations -- they are not just an identifiers -- so you can go to the endpoint to read the metadata.

 

Tenant-specific endpoint

https://login.windows.net/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml

Tenant-independent endpoint

https://login.windows.net/common/FederationMetadata/2007-06/FederationMetadata.xml

The tenant-specific federation metadata is located at the tenant-specific metadata endpoint. The <TenantDomainName> placeholder represents a registered domain name or TenantID GUID of a Windows Azure AD tenant. For example, the federation metadata of the contoso.com tenant is at: https://login.windows.net/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

The common or tenant-independent federation metadata is located at the tenant-independent metadata endpoint: https://login.windows.net/common/FederationMetadata/2007-06/FederationMetadata.xml. You can go to that location to read the tenant-independent metadata. In this endpoint address, "common" appears, instead of a tenant domain name or ID.

For information about the Federation Metadata documents that Windows Azure Active Directory publishes, see Federation Metadata.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.