Integrating Windows Azure AD with Windows ACS

1
votes

I have created an Active Directory on Windows Azure. I have added a user. I have added a Application, just using my corporate site urls.

I then get a login.windows.net/..../FederationMetadata/2007-06/FederationMetadata.xml

I created an Access Control Namespace and added it as a Identity Provider, WS-Federation identity provider (e.g. Microsoft AD FS 2.0).

When i go to the login page: https://c1azure.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=urn%3as-innovations%3aas2

I can now select my AD as single sign on. I get directed to the AD Signin, (my user was a Live-ID user) so it send me to login.live.com/login.srf..... and now when i sign in it sends me back to : https://login.windows.net/..../wsfed?f=255&MSPPError=-2147205086

I cant figure out what the error code means or where to go.

1
azureazure-active-directory
I'm not entirely sure that the LIVE-ID logins in AAD (Azure AD) will work with the federation scenario. Try creating AAD Local User (that will be user@your_tenant_domain.onmicrosoft.com) and use that user when logging in. Live-ID users in AAD are actually federated user from Microsoft Account, they are not local to the AAD and this might be an issue when further federating.astaykov
That gave me another error, it ends at login.windows.net/...../wsfed with an error that the relying party with identifier 'my acs namespace'. But this might not be possible. What i really want is to create an app with single sign on, that i can make public in the azure ad application tap on azure and also let people login with google/facebook and such.Poul K. Sørensen
Please follow this blog post. If complete every step correctly, you will have a working solution at the end. When complete all the steps, if you still have errors, please update your question.astaykov
thanks for the link. That is actully what i did on my own. But I will try do it once again and see if i can reproduce my err. Been watching build videos and I am not really sure if this is really what i want. At build keynote2 it was shown how Apps got exposed to other Azure ADs for single sign-on, but this means that the app should point to the Azure AD tenant SSO. Is it possible to configure a web app for accepting two identity providers, the ACS and Azure AD without pointing Azure AD to the ACS?Poul K. Sørensen
stackoverflow.com/questions/14882581/… (bassicly this was my second question). But I think that if i have 3party Azure ADs that want to use my app, i would then just add them to my ACS. (Would be nice to have my app in the Azure Portal like in the keynote, but that might not be possible if i also want facebook logins).Poul K. Sørensen

1 Answers

1
votes

Actually, there is a workaround to provision AAD as identity provider in ACS. http://www.cloudidentity.com/blog/2013/10/03/provisioning-a-windows-azure-active-directory-tenant-as-an-identity-provider-in-an-acs-namespacenow-point-click/

Basically, what has to be done is add the FederationMetadata.xml url when AAD is created as Identity provider in ACS.

After (in VS 2012) there is anew utility Identity and Access that will let you choose the IPs, and will create a new group in ACS, in which it has to be add the claim(s) transformation rule that we need (it is said in the post should be checked in code because claim changes)