Open in app

Sign in

Write

Sign in

Getting the required information for a SP from Azure AD metadata

Rory Braybrook
The new control plane
Published in
2 min readFeb 18, 2020

I see this all the time.

A customer wants to integrate a 3rd party SaaS application with Azure AD. This typically uses SAML but it could also be for WS-Federation.

You create an “Enterprise Application” in Azure AD with the required SaaS details and then the 3rd party application asks:

“ We will need your Entity ID, Certificate and ACS for your SAML Application”.

To get the metadata URL in Azure AD:

So you send them the Azure AD application metadata and they say please send us the certificate etc. and you say it’s all in the metadata and they say …

So given you have the metadata, how do you extract the information manually?

Note this is specific to Azure AD but the same is true of ADFS and pretty much every other IDP.

At the top of the metadata file:

<EntityDescriptor ID="_2d8d...a006" entityID="https://sts.windows.net/00d562...816c79/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

you will see the entityID.

At the bottom of the file:

<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <KeyDescriptor use="signing">
   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <X509Data>
     <X509Certificate>MIIC8DCCAdigAwIBAgIQHDGS8svciYpDHpgO/KU04jANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xODA5MjAyMTAzNThaFw0yMTA5MjAyMTAzNTdaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy0bnY3CCX1SWjGiKvUQLhotjPBjGUCh5oLLxpDqIufAoYj28n6kGGhpbbo4hI+DecNT4tZJ9kLSOkE6oYjd+9wxT+3cYWIeIluMQgk29xn+jWhbJ7NTJwXoEb5eqbDVDB52b6rWFcVWPNa7uXwrdK0jH1lY1agAsVA/K6bBcXEUKYo3yFCN7MiyDn6mHvFQcxgbaXmnbdZ+c7HZOVQH7VkeXs1VkC5gmahW/IwbOWXzxCgmYkc9x6LtazkmVSJOLqVjC58d6ZLs7W1cHykrAEHAM8A9XE/9POTwyDfkAgmoUsahsfFaZ0+NaxqpXMHkTeKr3a6fJoi00qeM8HCXkdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDGzhfPl4qmg/gK1P9hr+HuMQyCkP5Q0rLFqVmUGEKDCNrmuTaURiaa33Sm9MVs9kvbiLCZ2E1elRxYgxLortPAnqfaga8kQsb+RRK1AxYSi3YeDDgp/ehxck7c4V200vOwNrmqzvIfWEhvTJ+SuXbIot4tKAwulgYQbeppZMU3oGqPj0PveED96OH9sFKvBPNzwgfvECewmR0hTEy9UcDI9ZaRVMo2t5/VocDLEjFChniFJv3RDVXtf5/qxCG3uVJxQ3/hdNzfvAxjuyAEJPJXZ4WCSKk31JUooTxsg/+WDVW6/eq9t6RVxW4uCUc2hTTwdzRG2C/DrsHe4oyQGndf</X509Certificate>
    </X509Data>
   </KeyInfo>
  </KeyDescriptor>
  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/00d5...6c79/saml2" />
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/00d5...6c79/saml2" />
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/00d5...6c79/saml2" />
 </IDPSSODescriptor>

Note that Azure AD only has a “IDPSSODescriptor” because it can only act as an IDP but other IDP that can operate in R-STS mode will also have a “SPSSODescriptor”.

There is also a “SingleSignOnService” entry and this provides the ACS (Assertion Consumer Service). There can be more than one for the different SAML bindings but the ACS is normally the same for all of them.

So to sum up, in this case:

entityID = https://sts.windows.net/00d562...816c79/

ACS = https://login.microsoftonline.com/00d5...6c79/saml2

For the certificate, we need the information under:

<KeyDescriptor use="signing">

Note that the “use” needs to be “signing” and not “encryption”.

<X509Certificate>MIIC8DCCAdigAwIBAgIQHDGS8svciYpDHpgO/KU04jANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xODA5MjAyMTAzNThaFw0yMTA5MjAyMTAzNTdaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy0bnY3CCX1SWjGiKvUQLhotjPBjGUCh5oLLxpDqIufAoYj28n6kGGhpbbo4hI+DecNT4tZJ9kLSOkE6oYjd+9wxT+3cYWIeIluMQgk29xn+jWhbJ7NTJwXoEb5eqbDVDB52b6rWFcVWPNa7uXwrdK0jH1lY1agAsVA/K6bBcXEUKYo3yFCN7MiyDn6mHvFQcxgbaXmnbdZ+c7HZOVQH7VkeXs1VkC5gmahW/IwbOWXzxCgmYkc9x6LtazkmVSJOLqVjC58d6ZLs7W1cHykrAEHAM8A9XE/9POTwyDfkAgmoUsahsfFaZ0+NaxqpXMHkTeKr3a6fJoi00qeM8HCXkdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDGzhfPl4qmg/gK1P9hr+HuMQyCkP5Q0rLFqVmUGEKDCNrmuTaURiaa33Sm9MVs9kvbiLCZ2E1elRxYgxLortPAnqfaga8kQsb+RRK1AxYSi3YeDDgp/ehxck7c4V200vOwNrmqzvIfWEhvTJ+SuXbIot4tKAwulgYQbeppZMU3oGqPj0PveED96OH9sFKvBPNzwgfvECewmR0hTEy9UcDI9ZaRVMo2t5/VocDLEjFChniFJv3RDVXtf5/qxCG3uVJxQ3/hdNzfvAxjuyAEJPJXZ4WCSKk31JUooTxsg/+WDVW6/eq9t6RVxW4uCUc2hTTwdzRG2C/DrsHe4oyQGndf</X509Certificate>

Copy the data in the “X509Data” tag. (The bold section above).

Save this in a file called “something.cer” .

Double-click the cer file:

The cer file is the certificate file the 3rd party requires.

All good!

Azure Active Directory
Metadata
Saml2

--

--

Rory Braybrook
The new control plane

Written by Rory Braybrook

721 Followers
Editor for

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams