SAML Protocol Metadata and Endpoints
SAML protocol requires the identity provider (Azure Active Directory) and the service provider (the application) to exchange information about themselves. When a service provider is registered with Azure Active Directory, the developer registers federation-related information with Azure Active Directory, including the redirect URI and the metadata URI of the service provider. Azure Active Directory uses the metadata URI of the cloud service to retrieve the signing key and the logout URI of the cloud service. If the service provider does not support a metadata URL, the developer must contact Microsoft support to provide the logout URI and signing key.
Azure Active Directory exposes tenant-specific and common (tenant-independent) single sign-on and single sign-out endpoints. The following table shows the endpoints for each type. The Federation Metadata URLs represent addressable locations -- they are not just an identifiers -- so you can go to the endpoint to read the metadata.
Tenant-specific endpoint |
https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml |
Tenant-independent endpoint |
https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml |
The tenant-specific federation metadata is located at the tenant-specific metadata endpoint. The <TenantDomainName> placeholder represents a registered domain name or TenantID GUID of an Azure AD tenant. For example, the federation metadata of the contoso.com tenant is at: https://login.microsoftonline.com/**contoso.com**/FederationMetadata/2007-06/FederationMetadata.xml
The common or tenant-independent federation metadata is located at the tenant-independent metadata endpoint: https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml. You can go to that location to read the tenant-independent metadata. In this endpoint address, "common" appears, instead of a tenant domain name or ID.
For information about the Federation Metadata documents that Azure Active Directory publishes, see Federation Metadata.
See Also
SAML Protocol Reference
Single Sign-on (SAML Protocol)
Single Sign-out (SAML Protocol)
Active Directory Authentication Protocols