How to use Azure AD Tenant as Identity provider for on-premises farm

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/78732

Question

I've successfully set up Azure Access Control Service to use Facebook, Google and Live as Identity providers for an on-premise Claims aware Sharepoint web application.

Next, I'd like to try and use the Windows Azure Active Directory Tenant as an Identity Provider as well, and have created a testing AD as [myad].onmicrosoft.com, added a couple of users.

Following the instructions here

http://www.cloudidentity.com/blog/2012/11/07/provisioning-a-directory-tenant-as-an-identity-provider-in-an-acs-namespace/

I set up a WS-Federation Identity provider, included along with the others (Facebook et al)

However, I get an error "ACS50000: There was an error issuing a token." when trying to sign on using the AD account.

Are there any good guides on how to achieve this? Most of what I've found target application developers working with Azure. I just want to user the AD as Identity provider and link it to my Sharepoint site collection/web app.

Update:

I got it to work by adding an app to the Azure AD, using the ACS URL

https://[mynamespace].accesscontrol.windows.net/v2/wsfederation.

This got me a URL to the WS-Federation metadata XML, (which was different from the link i tried to construct based on the referenced article above)

I used this URL to create the WS-Federation identity provider in Azure ACS.

Lastly, I had to use powershell and New-MsolServicePrincipal to recreate/modify the app that was previously set up in Azure AD. I am not sure if this is necessary, but it did not seem to work before I did some manual steps.

I deleted the ServicePrincipal configured whan adding the Azure AD app, and created a new with 

$replyUrl = New-MsolServicePrincipalAddresses -Address "https://[mynamespace].accesscontrol.windows.net/v2/wsfederation"

New-MsolServicePrincipal -ServicePrincipalNames @("https://[mynamespace].accesscontrol.windows.net/") -DisplayName "MYLOGIN" -Addresses $replyUrl

$replyUrl is the ACS endpoint

For now I am mapping given name claim to nameidentity claim set up in Sharepoint. I guess there might be better ways of configuring this, but it seems to work.

Was it helpful?

Solution

It might be worth a shot to try adding ACS as an App in Azure AD, configure it for Single Sign-On and then using the WS-Federation end point for the app to add the Identity Provider. The first part of this post has a more detailed walkthrough: http://blog.helloitsliam.com/Lists/Posts/Post.aspx?List=e10cb685-6b5c-4b6c-aaf4-e1d122d57174&ID=120

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top