There appears to be a catch 22 at present as the web role needs to know the url (audienceUri and realm) in the web.config but this being a guid is never know
until after deployment. The current suggested work-arounds after discussion with incident support and others agree 1) have some caveats 2) defeat the safety of having separate verifiable configuration for different environments from executing code
3) don’t conform to the concept of platform as a service as they involve RDCs and manual configuration. Without a solution there are deployment risks of a direct to live deployment and the inconvenience of down time for a period.
I thought I'd raise this as a discussion point to see what other people thought.
The solution would be to enable staging domains where you could specify the particular domain for a staging environment. However I can't speak to the internals of staging vs production so there is likely a good reason why you couldn't do a simple
VIP swap across production-like environments.
I would be curious if anyone from Microsoft could chime in and provide a reason -- good or otherwise :) -- why it isn't possible.