question

DatVu-5197 avatar image
0 Votes"
DatVu-5197 asked ·

What is Azure AD's STS url?

I heard that Azure AD supports WS-Trust authentication protocol. However, I couldn't find anywhere the information about the STS url. In WS-Trust, clients need a STS in order to get the assertion (SOAP message) before sending it to Service Providers.

In ADFS, the STS endpoints are:

Please advise which STS url should be used in Azure AD. Thanks.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DatVu-5197 avatar image
0 Votes"
DatVu-5197 answered ·
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DatVu-5197 avatar image
0 Votes"
DatVu-5197 answered ·

As I understand the pattern: "http://adfs.test.com/adfs/services/trust"; is replaced by "https://sts.windows.net/{tenant-id}/"; ?

It seems doesn't work for my test.

Normally the metadata exchange URL should provide information about all "<wsdl:port>" including Usernamemixed and Kerberosmixed. Please advise.

7855-untitled.png



untitled.png (215.0 KiB)
· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The article I linked to above gives you the URL to the metadata document...

0 Votes 0 · ·

@michev without the actual WS-Trust endpoint (from Exchange Metadata) to talk with, should I assume Azure AD does not support WS-Trust?

This is a very important feature that needs to be confirmed before our project move from ADFS to Azure AD. Please advise.

0 Votes 0 · ·
DatVu-5197 avatar image
0 Votes"
DatVu-5197 answered ·

I think that is the Federation metadata, not Exchange metadata.

I checked to content and it is for SAML authentication, not WS-Trust.

https://login.windows.net/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-id}


In ADFS, there are two separate metadata URLs:

  1. Federation metadata (for SAML): https://adfs.test.com/FederationMetadata/2007-06/FederationMetadata.xml

  2. Exchange metadata (for WS-Trust): https://adfs.test.com/adfs/services/trust/mex

Not sure how Azure AD handles the Exchange metadata URLs. I'm confused.




· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DatVu-5197, I apologize for the delay in response on this. The WS-Fed endpoint of AAD would be:
https://login.microsoftonline.com/2249770e-f2a1-4ce2-a65a-1c70897dd1de/wsfed

You can find the supported endpoints that AAD listens on under: Azure AD ---> App Registrations ---> Endpoints

Also would like to share that since Exchange Online is a First Party SaaS application its already pre-configured with AAD. In case of ADFS only the configuration with Exchange Online comes into picture.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.






0 Votes 0 · ·

@soumi-MSFT I think that is the WS-Federation endpoint. I tried the WS-Fed url and it worked fine with WS-Federation protocol. However, I was looking for the WS-Trust , a different authentication protocol.

Also, "Exchange Online" is not what I meant. The exchange I was talking about is WS-Trust exchange metadata (a STS's wsdl).
In ADFS, it is:

https://[adfs.test.com]/adfs/services/trust/mex

I just want to find out the equivalent URL in Azure AD.

The content of WS-Trust metadata URL should be in wsdl format (for SOAP web services) and starts like this:

 <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" 
         xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
         xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"
         xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
         xmlns:tns="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"

0 Votes 0 · ·

@DatVu-5197, Thanks a lot for sharing the information. I somewhere misunderstood the question. Allow me sometime, I will try to get that information for you.

0 Votes 0 · ·