locked
How to configure relying party trust with Azure AD? RRS feed

  • Question

  • Hi,

    I am attempting to configure Azure Active Directory to act as an IDP for an SP initiated SAML flow.  However, there is nowhere to establish the relying part trust...

    I see that there used to be a field to declare the SPs "Federation metadata URL", but I don't see that on the application configuration page.  Ref here, about two-thirds down the page - http://www.theidentityguy.com/articles/2013/6/4/a-look-at-azure-ads-web-sign-in-endpoints.html

    How do I establish the trust with the SP?

    Thanks,

    Stuart

    Thursday, September 25, 2014 1:51 PM

Answers

  • AAD does not poll a SAMLP SP's federation metadata – for signing key and logoutUrl. In order to set the logout url you would need to set the logoutUrl property using the app manifest which can be downloaded, updated and uploaded on the "Active Directory" extension of the Azure portal - you should see a manage manifest option at the bottom of the application configuration page. Also, AAD does not validate the signatures on the
    logout request so there is no need to set the signing cert.

    In this previous statement: "As a reminder, I am trying to provide my SP's Federation Metadata to ADFS so that ADFS can sign the assertions it sends back." - Did you mean AAD instead of ADFS?


    Y Pereira

    Tuesday, October 28, 2014 6:34 PM

All replies

  • Hello Stuart,

    Thanks for posting here!

    Please refer the below mentioned links for configuring relying party trust with Azure AD.

    http://technet.microsoft.com/en-us/library/dd807108.aspx

    http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

    http://www.developerfusion.com/article/121561/integrating-active-directory-into-azure/

    Let me know if this helps!

    Best Regards,

    Sadiqh Ahmed

    Disclaimer: This response contains a reference to a third party World Wide Web site.
    Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Thursday, September 25, 2014 4:35 PM
  • Hello Sadiqh,

    Thanks for your reply.

    The links you sent refer to setting up ADFS on a dedicated ADFS server hosted within Azure.  I was hoping that I could do this with the Azure AD service as opposed to setting up and managing servers (domain controllers etc)  myself...

    So, do you know if it is possible to accomplish this with the Azure AD service (see attached) or do I have to create one or more Windows domain servers, create a domain, configure ADFS and expose them to the public internet?

    Thanks

    Stuart

    Thursday, September 25, 2014 7:35 PM
  • Hello Stuart,

    The snapshot referred in the original post is within the Application configuration pages which is one level deeper than the one you refer in the recent post. If you dig down within the App pages, you will see the Federation Metadata URL o the Application configuration page. Also, if you click the "View endpoints", you will see the complete list of the endpoints you might need.

    Hope this helps,

    Shravan

    Tuesday, September 30, 2014 11:59 PM
  • Hi Shravan,

    There is no 'Federation Metadata URL' field on the App configuration page...please see attached. Has this accidentaly been removed, or is there some configuration step that enables it?

    As a reminder, I am trying to provide my SP's Federation Metadata to ADFS so that ADFS can sign the assertions it sends back. 

    Thanks,

    Stuart


    Thursday, October 2, 2014 9:09 AM
  • AAD does not poll a SAMLP SP's federation metadata – for signing key and logoutUrl. In order to set the logout url you would need to set the logoutUrl property using the app manifest which can be downloaded, updated and uploaded on the "Active Directory" extension of the Azure portal - you should see a manage manifest option at the bottom of the application configuration page. Also, AAD does not validate the signatures on the
    logout request so there is no need to set the signing cert.

    In this previous statement: "As a reminder, I am trying to provide my SP's Federation Metadata to ADFS so that ADFS can sign the assertions it sends back." - Did you mean AAD instead of ADFS?


    Y Pereira

    Tuesday, October 28, 2014 6:34 PM
  • Hi Stuart,

    I hope the clarification provided by Y Pereira answers your question.

    I'm marking the above post as answers, If you have any queries post on this thread.

    Best Regards,

    Sadiqh Ahmed

    Friday, October 31, 2014 2:27 PM
  • Hello Y Pereira,

    Thanks.  From what I understand from the above, AzureAD cannot use SP metadata and that AAD is different to ADFS.

    A few follow-up questions:

    1. Difference between AzureAD and ADFS?
      I assumed that Azure AD would have functional parity with on-prem AD (ADFS).  With ADFS, the SAML responses can be signed.  So why the 'relaxation' in security with AzureAD?
    2. Configuring claims
      Unlike ADFS, I don't see a way to configure the claims that AzureAD will send back to the relying party.  Is this possible?
    3. Presume the logoutUrl is what AAD will redirect a client to after they logout?

    > In this previous statement: "As a reminder, I am trying to provide my SP's Federation Metadata to ADFS so that ADFS can sign the assertions it sends back." - Did you mean AAD instead of ADFS?

    Yes, some customers will have on-prem AD exposed through ADFS, some may be using AzureAD - I had assumed that they were identical in functionality and that was just using 'ADFS' that happened to be exposed as a first class Azure service.

    Thanks,
    Stuart

    Monday, November 3, 2014 8:26 AM