{"id":2454,"date":"2013-10-03T00:37:12","date_gmt":"2013-10-03T07:37:12","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/?p=2454"},"modified":"2013-10-03T00:56:10","modified_gmt":"2013-10-03T07:56:10","slug":"provisioning-a-windows-azure-active-directory-tenant-as-an-identity-provider-in-an-acs-namespacenow-point-click","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2013\/10\/03\/provisioning-a-windows-azure-active-directory-tenant-as-an-identity-provider-in-an-acs-namespacenow-point-click\/","title":{"rendered":"Provisioning a Windows Azure Active Directory Tenant as an Identity Provider in an ACS Namespace&ndash;Now Point &amp; Click!"},"content":{"rendered":"<p>About one year ago I wrote a post about how to provision a <a href=\"https:\/\/www.cloudidentity.com\/blog\/2012\/11\/07\/PROVISIONING-A-DIRECTORY-TENANT-AS-AN-IDENTITY-PROVIDER-IN-AN-ACS-NAMESPACE\/\">Windows Azure AD tenant as an identity provider in an ACS namespace<\/a>.<\/p>\n<p>Lots of things changed in a year! Since then, <a href=\"http:\/\/blogs.technet.com\/b\/ad\/archive\/2013\/06\/22\/azure-active-directory-is-the-future-of-acs.aspx\">we spoke more at length about the relationship between AAD and ACS<\/a>. If you didn\u2019t read <a href=\"http:\/\/blogs.technet.com\/b\/ad\/archive\/2013\/06\/22\/azure-active-directory-is-the-future-of-acs.aspx\">that post<\/a>, please make a quick jaunt there as it\u2019s super important you internalize its message before reading what I\u2019ll write here. Done? excellent!<\/p>\n<p>In the past year Windows Azure AD made giant steps in term of usability and features set, and hit general availability. That means that many of the artisanal steps I described in the old walkthrough are no longer necessary today. In fact, you can do everything I\u2019ve described there just by filling forms in the Windows Azure portal!<\/p>\n<p>The idea behind the scenario remains the same. You have a web application which trusts an ACS namespace. You want one or more Ad tenants to be available among the identity providers in that namespace. Hence what you need to do is<\/p>\n<ul>\n<li>Provision in the AAD tenant the ACS namespace in form of a web app (so that it can be a recipient of tokens issued by AAD)<\/li>\n<li>Provision in the ACS namespace the STS associated to the AAD tenant<\/li>\n<\/ul>\n<p>The rest is usual ACS: create RPs, add rules, the usual drill (which can be automated by the Identity and Access tool in VS2012. No equivalent capability in VS2013 exists, see the note at the beginning of the post).<\/p>\n<p>Too abstract? Let\u2019s turn this into instructions.<\/p>\n<h3>Provision in the AAD tenant the ACS namespace in form of a web app<\/h3>\n<p>Here I\u2019ll assume you already have a Windows Azure subscription, an ACS namespace and a Windows Azure AD tenant. Let\u2019s say that your namespace is <a title=\"https:\/\/justforyoumaarten.accesscontrol.windows.net\" href=\"https:\/\/justforyoumaarten.accesscontrol.windows.net\">https:\/\/justforyoumaarten.accesscontrol.windows.net<\/a>.<\/p>\n<p>Navigate to <a title=\"https:\/\/manage.windowsazure.com\/\" href=\"https:\/\/manage.windowsazure.com\/\">https:\/\/manage.windowsazure.com\/<\/a>, sign in, head to the AD tab, click on your directory, click on the applications header, and hit the \u201cADD\u201d button on the bottom center area of the command bar.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image2.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb2.png\" width=\"585\" height=\"405\"><\/a><\/p>\n<p>Leave the default (web application), assign a name you\u2019ll remember and move to the next screen.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image3.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb3.png\" width=\"587\" height=\"401\"><\/a><\/p>\n<p>Here, paste the namespace in both fields. Why? Simple. The URL is where the token will be redirected upon successful auth, and you want that to be the ACS namespace. The URI is the audience for which the token will be scoped to, and any value OTHER than the entityID of the ACS namespace (as you find it in the ACS metadata docs) would be interpreted by ACS as a replayed token from some MITM. Sounds like Klingon? Don\u2019t worry! That\u2019s a level of detail you don\u2019t need to deal with, as long as you follow the above instructions exactly.<\/p>\n<p>Move to the next screen.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image4.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb4.png\" width=\"595\" height=\"423\"><\/a><\/p>\n<p>ACS will make no attempts to call the Graph, hence you can leave the default (SSO) and finalize.<\/p>\n<p>Congratulations! Now your AD tenant knows about your ACS namespace and can issue tokens for it!<\/p>\n<h3>Provision in the ACS namespace the STS associated to the AAD tenant<\/h3>\n<p>Time to do the same in the opposite direction. Before you leave the app list, there\u2019s a last thing we need to do here: click on the \u201cview endpoints\u201d command on the bottom of the bar.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image5.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb5.png\" width=\"278\" height=\"108\"><\/a><\/p>\n<p>When you do so, the portal will display the collection of endpoints that you need to know if you want to interact with your AAD tenant at the protocol level:<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image6.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb6.png\" width=\"540\" height=\"657\"><\/a><\/p>\n<p>You\u2019ll want to put in the clipboard the fed metadata document, as it will be what we will use for introducing our AAD tenant to the ACS namespace.<\/p>\n<p>Click the big back arrow on the top left corner of the screen, which will bring you back to the top level active directory screen. This time, click on the header access control namespaces.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image7.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb7.png\" width=\"306\" height=\"529\"><\/a><\/p>\n<p>Here you\u2019ll find your namespace. Select it, then click on the \u201cmanage\u201d button in the bottom command bar. That will lead you to the ACS portal for managing the namespace.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image8.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb8.png\" width=\"584\" height=\"552\"><\/a><\/p>\n<p>Head to the Identity providers section. Once here, select WS-Federation identity provider and click next:<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image9.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb9.png\" width=\"462\" height=\"321\"><\/a><\/p>\n<p>Choose anything you want as display name and login link text. Paste the address of the AAD tenant\u2019s federation metadata in the URL text field of the metadata section.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image10.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb10.png\" width=\"589\" height=\"335\"><\/a><\/p>\n<p>aand you\u2019re done! Hit Save.<\/p>\n<h3>App work<\/h3>\n<p>All the service side work for enabling the scenario is done. All that\u2019s left is the work you\u2019d need to do for every RP app you want to create in the ACS namespace. For that, the instructions are pretty much the same as in the <a href=\"https:\/\/www.cloudidentity.com\/blog\/2012\/11\/07\/PROVISIONING-A-DIRECTORY-TENANT-AS-AN-IDENTITY-PROVIDER-IN-AN-ACS-NAMESPACE\/\">old post<\/a>: use the identity and access tool for VS2012, and that will take care of creating the RP entry, create the associated rules, configure your app to outsource web sign on to ACS, and so on. I won\u2019t repeat the step <a href=\"https:\/\/www.cloudidentity.com\/blog\/2012\/11\/07\/PROVISIONING-A-DIRECTORY-TENANT-AS-AN-IDENTITY-PROVIDER-IN-AN-ACS-NAMESPACE\/\">by step instructions<\/a> here, but to show my good faith I\u2019ll throw in a couple of screenshots to demonstrate that it works on my machine\u00ae <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-left-style: none; border-bottom-style: none; border-right-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile1.png\"><\/p>\n<p>Here there\u2019s the tool, hooked up to the ACS NS:<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image11.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb11.png\" width=\"594\" height=\"541\"><\/a><\/p>\n<p>Here there\u2019s the familiar HRD page:<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image12.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb12.png\" width=\"592\" height=\"499\"><\/a><\/p>\n<p>Pick AAD and\u2026<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image13.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb13.png\" width=\"594\" height=\"501\"><\/a><\/p>\n<p>\u2026you get in with your organizational account.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image14.png\"><img loading=\"lazy\" decoding=\"async\" title=\"image\" style=\"border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/image_thumb14.png\" width=\"593\" height=\"500\"><\/a><\/p>\n<p>Neat, if I may say so myself!<\/p>\n<h3>Wrap<\/h3>\n<p>I\u2019ve been wanting to write this post for a while, but of course I never found the time\u2026 then, about 30 mins ago somebody on a mail thread asked if there was a point &amp; click solution for this scenario. I sat down, went through the motions while occasionally snapping screenshots and writing my rambling instructions\u2026 I was prepared to go to sleep much later, and instead here there\u2019s the finished post already! I love how Windows Azure AD matured as a technology in such a short time <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" style=\"border-top-style: none; border-left-style: none; border-bottom-style: none; border-right-style: none\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/10\/wlEmoticon-smile1.png\"><\/p>\n<ul><!--EndFragment--><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>About one year ago I wrote a post about how to provision a Windows Azure AD tenant as an identity provider in an ACS namespace. Lots of things changed in a year! Since then, we spoke more at length about the relationship between AAD and ACS. If you didn\u2019t read that post, please&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2449,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2454","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=2454"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2454\/revisions"}],"predecessor-version":[{"id":2455,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2454\/revisions\/2455"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media\/2449"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=2454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=2454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=2454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}