Thank you for using the Windows Azure Active Directory Preview!
When we launched the Developer Preview, we noted that the Audience field in tokens sent by Azure AD was in SPN format and included both the identifier of the application and the identifier of the tenant, while most other federation systems allow applications to be identified by a URL only.We have made an improvement to the Preview to enable the use of URLs as application identifiers. Because of this change, existing applications that are registered with Azure AD will no longer accept sign-in responses and must be updated to continue to function properly.
The SSO code samples have been updated to reflect the changes, and can be used to determine how you should update your applications. Please refer to theChange Summary here to see an example of the changes you will need to make in your code.
This change will occur on 10/23/2012.
Breaking Change: Code change required for verification of the Audience URI
For currently registered applications, Azure AD now sends spn:AppID instead of spn:appid@tenantid in the Audience field of the token. WindowsAzure Active Directory no longer returns the @tenant ID portion of the identifier in the audience value. The tenant IDcan be inferred from the Issuer field of the token. Existing applications must be updated to expect spn:AppID instead of spn:appid@tenantid in the Audience field, and must be modified to obtain the tenant ID from the Issuer
field.
You can see an example of this in the code sample here:
New applications can now be registered using a URL as the application identifier, and the URL will be returned in the audience field. For example, if the application identifier is registered as https://www.example.com, the audience field of the token will containhttps://www.example.com.
Upcoming Breaking Change: Change to the URL Format in the request to AAD
In addition, in future update to the Preview there will be a change in the URL which must be sent to AAD for SSO. This change also impacts the Metadata URL used to discover information about a tenant. In the upcoming release,the tenant ID or a verified domain name of the tenant must be included in the URL of the request to AAD, instead of in a query parameter. You should update your code to make this change, as we will be removing the old URL request format in the future.
For the AAD URL, the format should be the following:
Before:
After:
https://accounts.accesscontrol.windows.net/<domain name or tenant ID>/v2/wsfederation?wa=wsignin1.0&wtrealm=appID&wreply=<Your Application>
and the Federation Metadata EndPoint:
Before:
https://accounts.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml?realm=<domain name or tenant ID>
After:
https://accounts.accesscontrol.windows.net/<domainname or tenant ID>/v2/FederationMetadata/2007-06/FederationMetadata.xml