I have create an Windows Azure Active Directory (WAAD) tenant and added (and verified) my own domain (http://activedirectory.windowsazure.com). Let's say 'domain.com'. I manually added a few users to the tenant; let's say 'user@domain.com'.
Next, I created an Azure Access Control Services (ACS) through the azure management portal (https://manage.windowsazure.com). I added my WAAD tenant as an IdP in ACS (through the portal) and added the ACS as an RP in WAAD (through PowerShell; New-MsolServicePrincipal).
Finally, I added a (dummy) RP in ACS (again, through the portal).
When I try to logon to my ACS sign-on page (https://tenant.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%2f), the authentication actually takes place against WAAD. So that works. But before ACS redirects me to the application, I get this error (thrown by ACS):
HTTP Error Code: 400
Message: ACS50000: There was an error issuing a token.
Inner Message: ACS20016: The domain of the logged in user (domain.com) does not match any allowed domain of this STS.
Trace ID: 8fa8e2c1-85f5-40c6-92d7-7fe0da85de02
Timestamp: 2013-02-26 14:05:16Z
The same error occurs for users that sign-in with the tenant.onmicrosoft.com 'UPN'. (Only then, the domain in error is, obviously, tenant.onmicrosoft.com)
I am trying to sign-in through an In-private browsing session, and, even though not required, cleared all the cookies from the machine. (Just to make sure no 'old' cookies are causing interference with the sign-in process.)
I cannot find any information on what's wrong here. Any ideas?
Although the error appears to give a clue (the domain is not an 'allowed domain' in ACS), there is no notion of 'allowed domains' that I can configure in the ACS portal.
Thanks,
Tino