SALES: 1-800-867-1380

SAML Protocol Metadata and Endpoints

Published: April 5, 2013

Updated: April 1, 2014

SAML protocol requires the identity provider (Windows Azure Active Directory) and the service provider (the application) to exchange information about themselves. When a service provider is registered with Windows Azure Active Directory, the developer registers federation-related information with Windows Azure Active Directory, including the redirect URI and the metadata URI of the service provider. Windows Azure Active Directory uses the metadata URI of the cloud service to retrieve the signing key and the logout URI of the cloud service. If the service provider does not support a metadata URL, the developer must contact Microsoft support to provide the logout URI and signing key.

Windows Azure Active Directory exposes tenant-specific and common (tenant-independent) single sign-on and single sign-out endpoints. The following table shows the endpoints for each type. The Federation Metadata URLs represent addressable locations -- they are not just an identifiers -- so you can go to the endpoint to read the metadata.


Tenant-specific endpoint<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml

Tenant-independent endpoint

The tenant-specific federation metadata is located at the tenant-specific metadata endpoint. The <TenantDomainName> placeholder represents a registered domain name or TenantID GUID of a Windows Azure AD tenant. For example, the federation metadata of the tenant is at:

The common or tenant-independent federation metadata is located at the tenant-independent metadata endpoint: You can go to that location to read the tenant-independent metadata. In this endpoint address, "common" appears, instead of a tenant domain name or ID.

For information about the Federation Metadata documents that Windows Azure Active Directory publishes, see Federation Metadata.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft