Integrating Windows Azure AD with Windows ACS

Question

I have created an Active Directory on Windows Azure. I have added a user. I have added a Application, just using my corporate site urls.

I then get a login.windows.net/..../FederationMetadata/2007-06/FederationMetadata.xml

I created an Access Control Namespace and added it as a Identity Provider, WS-Federation identity provider (e.g. Microsoft AD FS 2.0).

When i go to the login page: https://c1azure.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=urn%3as-innovations%3aas2

I can now select my AD as single sign on. I get directed to the AD Signin, (my user was a Live-ID user) so it send me to login.live.com/login.srf..... and now when i sign in it sends me back to : https://login.windows.net/..../wsfed?f=255&MSPPError=-2147205086

I cant figure out what the error code means or where to go.

Answer 1

Actually, there is a workaround to provision AAD as identity provider in ACS. http://www.cloudidentity.com/blog/2013/10/03/provisioning-a-windows-azure-active-directory-tenant-as-an-identity-provider-in-an-acs-namespacenow-point-click/

Basically, what has to be done is add the FederationMetadata.xml url when AAD is created as Identity provider in ACS.

After (in VS 2012) there is anew utility Identity and Access that will let you choose the IPs, and will create a new group in ACS, in which it has to be add the claim(s) transformation rule that we need (it is said in the post should be checked in code because claim changes)