Upcoming breaking changes in Windows Azure Active Directory preview

A moment ago Vittorio Bertocci wrote a post on some upcoming changes to the Developer Preview of WAAD. The changes are of the breaking sort, so if you’re actively using WAAD, this is something you’ll want to react to.

The WAAD MSDN forums have a more detailed announcement about the changes, but at a glance, here are the two key things I picked up on.

The service endpoint names are changing

Your (most likely automatically generated) Web.config settings say something like this now:

      <wsFederation passiveRedirectEnabled="true" 
					issuer="https://accounts.accesscontrol.windows.net/tenant-id/v2/wsfederation" 
					....
					requireHttps="false" />

After the change, that will have to change to:

      <wsFederation passiveRedirectEnabled="true" 
					issuer="https://login.windows.net/tenant-id/wsfed" 
					....
					requireHttps="false" />

The metadata and JWT endpoints are changing too, which may or may not affect you — but if you’re using any of them, you’ll probably know what to do anyway. :-) 

The User Principal Name claim will no longer be included

A while back, the claim that actually names the user principal was changed from EmailAddress to UPN. Now things are changing again, and in the future, the naming claim type will be … name! Which means your web.config settings need to change from

<nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />

to

<nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" />

That’s pretty much it. And of course, if you can’t get the settings right editing them by hand, you can always run the Visual Studio Wizard again

Hope this helps someone. :-)

6 comments

  • Lauri, hope you’re well. You’ll remember last year that you helped me troubleshoot (and then you blogged about) the fact that Office 365 AD is actually different from Azure AD in some respects. Well, I think I have found another one. Gory details are here http://social.msdn.microsoft.com/Forums/en-US/WindowsAzureAD/thread/1fecbd63-b522-4b59-bc79-88569a565982 – in summary, the TenantId claim appears to be defined as “microsoft.org” rather than “microsoft.com”. I can work round that one easily enough, although it is a bit odd.

    PUID has gone as expected and UPN has become Name, again as expected. The showstopper is that the new ObjectId claim just isn’t there! I’ve looked in the metadata and it’s not in there either.

    Have you stumbled across that one yet?

    Thanks, Nick.

  • Lauri Kotilainen

    Glad to hear from you again, Nick. Too bad the circumstances are like this. :-)

    I haven’t actively worked on anything WAAD-related in a while, so I haven’t really had to deal with the impact of the changes. Thinking back, I’m afraid I can’t recall anything that could conceivably affect the claims WAAD will send you.

    I’ll keep an eye out in case I come across something, but in the meantime I pinged Vittorio Bertocci on Twitter with the link to your posting in the vague hope that he might notice and react…

    -Lauri

  • Lauri Kotilainen

    Well, Vittorio replied: ” it will eventually show up… we’ve got to wait a tad longer for it. Sorry!” (see https://twitter.com/vibronet/status/316799327534211072 )

    When I asked if there was a place for Office 365 -specific WAAD announcements, the response was the WAAD forum.

    I find it somewhat strange that they would implement this change only partially and not announce when it would be completed, but there you go.

  • Hi Lauri,

    Thanks for tracking that down (and I’m now following Vittorio on Twitter). I’ve just updated my original posting to document this morning’s change. My application broke again because the TenantId has suddenly changed from microsoft.org to the originally expected microsoft.com. So it does seem as if things are being changed gradually – hopefully ObjectId will appear sometime soon!

    Thanks again for the help. Nick.

  • Hi Lauri,
    I’m trying to get the User Principal Name for my Active Directory( with office 365) But I’m always ending up with a null value . Do we need to use http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn or this http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name to User-principal name ?
    And thank you so much for all your previous post they were really haplful.

    Nikhil

  • Nikhil,

    Sorry for my late response, I haven’t really been paying attention to this blog for a while. It looks to me like currently, the user’s identity is in the name claim instead of upn, so you should probably use that. :)

Leave a Reply

Your email address will not be published. Required fields are marked *