Thank you for using the Windows Azure Active Directory Preview!
When we launched the Developer Preview, we noted that the Audience field in tokens sent by Azure
AD was in SPN format and included both the identifier of the application and the identifier of the tenant, while most other federation systems allow applications to be identified by a URL only.
We have made an improvement to the Preview to enable the use of URLs as application identifiers. Because of this change, existing applications that are registered with Azure AD will no longer accept
sign-in responses and must be updated to continue to function properly.
The SSO code samples have been updated to reflect the changes, and can be used to determine how you should update your applications. Please refer to the
Change Summary here to see an example
of the changes you will need to make in your code.
This change will occur on 10/23/2012.
Breaking Change: Code change required for verification of the Audience URI
For currently registered applications, Azure AD now sends spn:AppID instead of spn:appid@tenantid in the Audience field of the token. Windows
Azure Active Directory no longer returns the @tenant ID portion of the identifier in the audience value. The tenant ID
can be inferred from the Issuer field of the token. Existing applications must be updated to expect spn:AppID instead of spn:appid@tenantid in the Audience field, and must be modified to obtain the tenant ID from the Issuer
You can see an example of this in the code sample here:
New applications can now be registered using a URL as the application identifier, and the URL will be returned in the audience field. For example, if the
application identifier is registered as https://www.example.com, the audience field of the token will contain
Upcoming Breaking Change: Change to the URL Format in the request to AAD
In addition, in future update to the Preview there will be a change in the URL which must be sent to AAD for SSO. This change also impacts the
Metadata URL used to discover information about a tenant. In the upcoming release,
the tenant ID or a verified domain name of the tenant must be included in the URL of the request to AAD, instead of in a query parameter. You should update your code to make this change, as we will be removing the old URL request format in
For the AAD URL, the format should be the following: