Vittorio describes here in great detail how to provision a WAAD tenant as an identity provider in an ACS namespace. Since we are all using the same technology under the bonnet, this should also work with IdentityServer – and it does.
Make sure to read Vittorio’s post first – the differences are as follows:
1 The provisioning script
The reply URL points to the HRD endpoint:
$replyUrl = New-MsolServicePrincipalAddresses –Address “https://server/issue/hrd “
..and the service principal uses the configured IdSrv issuer URI:
New-MsolServicePrincipal –ServicePrincipalNames @(“http://identityserver.v2.thinktecture.com/trust/changethis “) -DisplayName “IdSrv” -Addresses $replyUrl
2 IdentityServer configuration
On the IdSrv side, you need to add a new identity provider – I got the values for WS-Federation Endpoint and Issuer Thumbprint from the WAAD federation metadata document (see Vittorio’s post), e.g.
https://accounts.accesscontrol.windows.net/tenant_id/v2/wsfederation
and
3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE0
Have fun ;)
Filed under: Azure, IdentityServer
