Skip to content

WAAD AS IdP

July 19, 2013

In my prior two posts I demonstrated how WAAD can be configured as IdP. In this post we document this on paper. The configuration is very simple, but so far I could not find it documented anywhere, so here it is for anyone interested.

In first scenario we will configure WAAD as IdP for Azure ACS. Like shown on this diagram:

image

To configure ACS as relying party in WAAD you need to do the following:

  1. Add new application in your WAAD tenant
  2. Name it whatever you like it
  3. For App URL:, put the following URL https://<your-acs-name>.accesscontrol.windows.net/ , where <your-acs-name> is the name of the ACS you created in your Azure subscription.
  4. For App ID URI:, put the same URL as in previous step.
  5. Save configuration.

Of course you’ll need to add WAAD in ACS as IdP as well.

In second scenario we will configure WAAD as IdP for AD FS. Like shown on this diagram:

image

To configure AD FS as relying party in WAAD you need to do the following:

  1. Add new application in your WAAD tenant
  2. Name it whatever you like it
  3. For App URL:, put the following URL https://<your-sts-dns-name>/adfs/ls/ , where <your-sts-dns-name> is the URL for your AD FS server (for example sts.cloudidentityblog.com)
  4. For App ID URI:, put the following http://<your-sts-dns-name>/adfs/services/trust, where <your-sts-dns-name> is the URL for your AD FS server (for example sts.cloudidentityblog.com).
  5. Save configuration.

Of course you’ll need to add WAAD in AD FS as IdP as well.

There is no mechanism to configure WAAD as to what type of claims it will provide to RP. It is hard coded to provide half a dozen claims for the user. If you need to get information about the user that is not passed via claims you’ll have to use Graph API to query WAAD and find that information programmatically (your app will have to do this).

Advertisements
7 Comments
  1. I want to have WAAD work as Idp for Azure ACS (your first scenario) and my web application is already configured and using Azure ACS. Its already using Google Id, Facebook etc from Azure ACS. However I cannot get WAAD to work as IDP. Currently, I have ADFS, Google, Facebook setup in ACS for my web application. As soon as I setup WAAD, all other Idps stop working as well. No login option shows up on my web application. As you mentioned I had added an application in WAAD, gave it ACS URL. However ‘External Access’ option (under Configure) is set to ‘Off’ right now. If I try to turn it on, and save settings I get error message that ‘App ID URI must be from a verified domain within your organization’s directory’. Could this problem be related to this? Any help would be appreciated. Thanks

    • hmm, not sure what happens with your setup, but to ACS the WAAD should be just like any other IdP. When you get redirected from your app to ACS, you should get HRD page with all IdP that you configure for this app. I assume you added WAAD as IDP in ACS as well and configured the Rule Group to pass claims from WAAD to your app.

  2. In my case web application doesn’t actually redirect to ACS. We are using JavaScript to do that. Loading script like this would actually show up all Idps configured against your account. User can choose the one he wants to sign in against.

    In my case, when I setup WAAD with ACS, this script stops showing any Idp at all. If I remove WAAD from list of Idps for my application, rest of the Idps start working again. Any idea how to go about it?

  3. Hi Dmitrii, commenting here as I couldn’t find a good place to reach you at. On the ‘Useful Links’ page, the link for ‘Primer on Cloud Computing Security’ is broken – it looks like CIO.gov has taken this doc down, as I can’t find a replacement for it. Just thought I’d let you know. Thanks

Trackbacks & Pingbacks

  1. Multiple AAD with the same ADFS Service | Security and Identity in the Cloud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: