How to use Azure AD Tenant as Identity provider for on-premises farm
-
10-12-2019 - |
Vra
I've successfully set up Azure Access Control Service to use Facebook, Google and Live as Identity providers for an on-premise Claims aware Sharepoint web application.
Next, I'd like to try and use the Windows Azure Active Directory Tenant as an Identity Provider as well, and have created a testing AD as [myad].onmicrosoft.com, added a couple of users.
Following the instructions here
I set up a WS-Federation Identity provider, included along with the others (Facebook et al)
However, I get an error "ACS50000: There was an error issuing a token." when trying to sign on using the AD account.
Are there any good guides on how to achieve this? Most of what I've found target application developers working with Azure. I just want to user the AD as Identity provider and link it to my Sharepoint site collection/web app.
Update:
I got it to work by adding an app to the Azure AD, using the ACS URL
https://[mynamespace].accesscontrol.windows.net/v2/wsfederation.
This got me a URL to the WS-Federation metadata XML, (which was different from the link i tried to construct based on the referenced article above)
I used this URL to create the WS-Federation identity provider in Azure ACS.
Lastly, I had to use powershell and New-MsolServicePrincipal to recreate/modify the app that was previously set up in Azure AD. I am not sure if this is necessary, but it did not seem to work before I did some manual steps.
I deleted the ServicePrincipal configured whan adding the Azure AD app, and created a new with
$replyUrl = New-MsolServicePrincipalAddresses -Address "https://[mynamespace].accesscontrol.windows.net/v2/wsfederation"
New-MsolServicePrincipal -ServicePrincipalNames @("https://[mynamespace].accesscontrol.windows.net/") -DisplayName "MYLOGIN" -Addresses $replyUrl
$replyUrl is the ACS endpoint
For now I am mapping given name claim to nameidentity claim set up in Sharepoint. I guess there might be better ways of configuring this, but it seems to work.
Oplossing
It might be worth a shot to try adding ACS as an App in Azure AD, configure it for Single Sign-On and then using the WS-Federation end point for the app to add the Identity Provider. The first part of this post has a more detailed walkthrough: http://blog.helloitsliam.com/Lists/Posts/Post.aspx?List=e10cb685-6b5c-4b6c-aaf4-e1d122d57174&ID=120