Convert existing claims-aware app to support Azure AD

In the past I have blogged about how you can write claims-aware applications which can rely upon custom STS (Security Token Service) provided by Campus Management. When applications are relying upon standard based authentication mechanism such as Ws-Federation, OpenID, OAuth, etc and when they are delegating authentication requirements, your applications are not only more secure but many times you get other benefits like having secure SSO (Single Sign On) capabilities for your applications. Also, there is possibility of swapping identity providers as long as they offer same authentication protocol your application is relying upon. In this blog, we will look at how to convert such claims-aware applications relying upon ADFS, Custom STS or other identity providers to support Azure Active Directory (Azure AD).

Before we go any further let us answer two questions.

What is Azure AD and what does it provide?

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

It provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to your application and with thousands of cloud SaaS Applications like Office365, DropBox, and Concur.

It is important to note that your application can take advantage of Azure AD whether it is deployed on Azure or anywhere else. There are two main steps involved in linking web application with Azure AD: Register App and Configure App. Following sections will describe each of this step.

Register Web App on Azure AD

First step is setting up application in Azure and noting all the relevant information down to use within application. Here are the steps for adding your application.

  1. Login to and go to Azure Active Directory
  2. Click on Properties under Manage section
    1. Copy and store Directory ID listed on this tab. Directory ID is your Tenant ID

  1. Now, click on App registration and then click on Endpoints on top bar
  2. Note down the endpoint for Ws-Federation Sign-On

  1. Close Endpoints section and now click on New application registration right next to Endpoints
  2. Provide name, application type and Sign-on URL for your app. Here is brief explanation and sample
    1. Name: Provide any unique name for your application
    2. Application type: In our case it’s Web App
    3. Sign-on URL: This is URL used to access your application, typically home page URL

  1. Now click on newly registered app and Properties from within next screen
  2. Note down App ID URI for your application

Next step is updating configuration of your application to different values copied above. There are few options based upon how your application is setup for federation.

Configuration Windows Identity Foundation (WIF) based Web App

If you are using System.IdentiModel based approach where configuration for federation is derived from <system.identityModel> and <> section then your config modification will be in web.config of web application. This section also applies to claims-aware application as described and available for download under this blog.

Before we look at specific configuration, we will need one more thing. For this type of application configuration, thumbprints of certificates supported by issuer are typically setup under <trustedIssuers> section of Web.config. We will need to find out thumbprints for AzureAD. Use following steps to retrieve thumbprints:

  1. Download PowerShell scripts from this repository:
  2. Run following command from PowerShell, which should give you thumbprints for current active certificates

  1. Note, down all thumbprints

Once, thumbprints are copied over, modify parameters highlighted in [..]  for web.config below to integrate your WIF based application with Azure AD

Important: Azure AD uses public key cryptography to sign tokens and verify that they are valid. See Important Information About Signing Key Rollover in Azure AD for more information on the necessary logic you must have in your application to ensure it’s always updated with the latest keys.

Configuration OWIN middleware based Web App

If your application is using OWIN middleware to configure federation then you can modify necessary settings as shown below in code to link up your application with Azure AD. Preferably, all of these settings will come in from web.config.


The example we saw above uses Ws-Federation protocol for authentication. Azure AD supports many industry-standard protocols such as OAuth 2.0, Open ID Connect as well as open source libraries for different platforms. Based upon your authentication scenario and application type you can choose best protocol to work with your application. Ref 1 below from Microsoft below goes over different authentication scenarios and also list all the claims available from Azure AD.

If you would like to understand Azure AD as whole and what is possible, then take a look at Ref 2 below

-tushar ~tas

Leave a Reply

Skip to toolbar