This documentation is archived and is not being maintained.

How to: Add an Azure AD Tenant as an Identity Provider

Published: October 23, 2013

Updated: June 19, 2015

Applies To: Azure

  • Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS)

This topic explains how to add an Azure Active Directory (AD) tenant to the list of identity providers in your Access Control namespace. This feature allows you to use the tenant as identity provider for applications that are associated with the namespace.

The process has two major elements:

  1. Add the Access Control namespace to the Azure AD tenant to as a web app. This allows the namespace (web app) to receive tokens from Azure AD.

  2. Add the Azure AD tenant to the Access Control namespace as an identity provider.

The remaining steps are common to all identity providers in ACS. You can add relying party applications and rules that determine which identity claims are passed from identity providers to the relying party applications.

The instructions in this topic require the following:

  1. An Azure subscription. For more information, see Getting Started with Azure.

  2. An Azure Access Control namespace. For help, see How to: Create an Access Control Namespace.

  3. Visual Studio 2012

In this step, we'll copy the namespace name for use in the next step. You will need the namespace name to indicate that tokens should be sent to the endpoint that receives WS-Federation sign-in responses.

Although the namespace URL is in a field labeled Management Portal, the tokens are sent to the specified endpoint, not the portal.

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  3. Click Application Integration.

  4. Copy the value of the Management Portal field.

    The URL in the Management Portal field has the following format:

    https://< Namespace>.accesscontrol.windows.net/

    Save the value. You'll need it in the next step.

The value of the Management Portal field is the namespace name and the URL of the endpoint that receives WS-Federation sign-in responses.

In this step, you will use the features of the Azure Management Portal to add the Access Control namespace as a web application in the Azure AD tenant. This makes the tenant a recipient of the tokens that Azure AD generates.

  1. Go to the Azure Management Portal and sign in. Click Active Directory, click a directory, click Applications, and then click Add.



    Add an application to an Active Directory tenant
  2. Enter a name for the app. In the Type field, select Web Application and/or Web API (the default). To advance, click the arrow.



    Add a name and type for the app
  3. In the App URL and App ID URI text boxes, paste the URL that was in the Management Portal field on the Application Integration page. To continue, click the arrow.

    The App URL is the address to which token are sent when a user authenticates successfully. The App ID URI is the audience to which the token are scoped. If we used any value other than the entityID of the Access Control namespace, ACS would be interpret it as a token reused from a man-in-the-middle attack.

    When pasting, be careful not to include trailing spaces or extra characters after the final forward slash (/). Otherwise, Azure AD will mark the URL as invalid.



    Add the URL and App ID Uri for the app
  4. On the Directory Access page, select the default setting, Single Sign-On. Because ACS does not call the Graph API, the setting is not used. To finish the process, click the check mark.

    At this point, your Azure AD tenant knows about your Access Control namespace and can issue tokens for it.

    Specify the access requirements of the app
  5. On the final page, copy the Federation Metadata URL. You'll need it in a few minutes.

    To return to this page:

    • Go to the Azure Management Portal and sign in.

    • Click an Azure directory.

    • Click Applications.

    • Click the application.

    The Federation Metadata URL is also listed on the App Endpoints page for the application. To view this page, on the Application page, click View Endpoints.



    Page announces that app is added

In this step, you will add the security token service (STS) for the Azure AD tenant to the Access Control namespace.

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

    This action opens the ACS Management Portal for the Access Control namespace.



    ACS Management Portal
  3. Click Identity providers and then click Add.

  4. Select WS-Federation identity provider and then click Next.



    Add an identity provider
  5. Enter a display name and login link text. There are no special requirements for these values.

  6. In the WS-Federation metadata section, click URL and then paste the Federation Metadata URL that you copied from the application page. Then, click Save.

    Another useful field on this page is the Login Link Text field. The value of that field appears in the list of identity providers offered to users when they sign in to the application.



    Enter the Federation Metadata URL

The Azure AD tenant is now registered as an identity provider for the Access Control namespace. In some sense, our task is complete. However, in this step, we'll show you how to use the new identity provider by adding it to the offering of identity providers for a web application.

To select the new identity provider for your app, use the standard procedure:

  1. Start Visual Studio 2012 and open a web application.

  2. In Solution Explorer, right-click the app name, and then click Identity and Access.

  3. On the Providers tab, click Use the Azure Access Control Service.

  4. To associate the app with an Access Control namespace, you need the management key for the namespace. Here's how to find it.

    1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

    2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

    3. Click Management Service, click Management client, and then click Symmetric key.

    4. Click Show Key, copy the key value, and then click Hide Key.

  5. Now, back in the Visual Studio Configure ACS namespace dialog box, enter the name of the Access Control namespace and paste the management key value.



    Enter the namespace name and key in Visual Studio
  6. Then, select the Azure AD tenant identity provider from the list of identity providers in the namespace.



    Select the AD Tenant identity provider
  7. When you run the app, a log-in dialog box includes the Azure AD tenant identity provider among the identity provider choices. (The name that appears on this page is defined in the Login Link Text field on the identity provider settings page.)



    Select an identity provider
  8. Select the Azure AD tenant and then sign in with your organizational account.



    Application sign-in page

Now, you have access to your application. The authentication tokens are forwarded to the Azure AD tenant as the identity provider.

See Also

Concepts

ACS How To's

Show: