Update to Windows Azure Active Directory Preview (Breaking Changes)

Question

Thank you for using the Windows Azure Active Directory Preview!

When we launched the Developer Preview, we noted that the Audience field in tokens sent by Azure AD was in SPN format and included both the identifier of the application and the identifier of the tenant, while most other federation systems allow applications to be identified by a URL only. We have made an improvement to the Preview to enable the use of URLs as application identifiers.  Because of this change, existing applications that are registered with Azure AD will no longer accept sign-in responses and must be updated to continue to function properly.

The SSO code samples have been updated to reflect the changes, and can be used to determine how you should update your applications.  Please refer to the Change Summary here to see an example of the changes you will need to make in your code.

This change will occur on 10/23/2012.

Breaking Change: Code change required for verification of the Audience URI

For currently registered applications, Azure AD now sends spn:AppID instead of spn:appid@tenantid in the  Audience field of the token. Windows Azure Active Directory no longer returns the @tenant ID portion of the identifier in the audience value. The tenant ID can be inferred from the Issuer field of the token.  Existing applications must be updated to expect spn:AppID instead of spn:appid@tenantid in the Audience field, and must be modified to obtain the tenant ID from the Issuer field.

You can see an example of this in the code sample here:

https://github.com/WindowsAzure/azure-sdk-for-dotnet-samples/blob/master/WAAD.WebSSO.ASPNET/csharp/code/libraries/tokenHandler/Microsoft.Samples.Waad.Federation/ConfigurationBasedSaml2SecurityTokenHandler.cs

New applications can now be registered using a URL as the application identifier, and the URL will be returned in the audience field.  For example, if the application identifier is registered as https://www.example.com, the audience field of the token will contain https://www.example.com.

Upcoming Breaking Change: Change to the URL Format in the request to AAD

In addition, in future update to the Preview there will be a change in the URL which must be sent to AAD for SSO. This change also impacts the Metadata URL used to discover information about a tenant. In the upcoming release, the tenant ID or a verified domain name of the tenant must be included in the URL of the request to AAD, instead of in a query parameter. You should update your code to make this change, as we will be removing the old URL request format in the future.

For the AAD URL, the format should be the following:

Before:

https://accounts.accesscontrol.windows.net/v2/wsfederation?wa=wsignin1.0&wtrealm=<appID>@<tenantID>&wreply=https://<your application>

After:

https://accounts.accesscontrol.windows.net/<domain name or tenant ID>/v2/wsfederation?wa=wsignin1.0&wtrealm=appID&wreply=<Your Application>

and the Federation Metadata EndPoint:

Before:

https://accounts.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml?realm=<domain name or tenant ID>

After:

https://accounts.accesscontrol.windows.net/<domainname or tenant ID>/v2/FederationMetadata/2007-06/FederationMetadata.xml

Answer 1

Does this mean we have to do something different when creating the service principal? Also, does it mean there will be something different in web.config? I can see the token handler is different.

Getting it set up in the first place is also broken by this change?

What changes to make? The documentation at https://www.windowsazure.com/en-us/develop/net/how-to-guides/web-sso/ is broken. When will it be updated?