What is Azure AD's STS url?

Question

What is Azure AD's STS url?

Dat Vu 116

I heard that Azure AD supports WS-Trust authentication protocol. However, I couldn't find anywhere the information about the STS url. In WS-Trust, clients need a STS in order to get the assertion (SOAP message) before sending it to Service Providers.

In ADFS, the STS endpoints are:

https://adfs.test.com/adfs/services/trust/13/usernamemixed (for username/password flow)
https://adfs.test.com/adfs/services/trust/13/kerberosmixed (for Kerberos flow)

Please advise which STS url should be used in Azure AD. Thanks.

Accepted answer

3 additional answers

Your answer

Answer 1

Dat Vu 116

I found the mex URL after looking at msal4j project:

https://autologon.microsoftazuread-sso.com/datvuze.onmicrosoft.com/winauth/trust/mex

Sasidhran 1 Reputation point

2021-11-23T07:16:34.4+00:00

how did you configure this?

Answer 2

Vasil Michev 119.5K MVP Volunteer Moderator

It's https://sts.windows.net/{tenantid}/, or https://login.windows.net/{tenantid}/{protocolname} for token issuance. Here's a sample article with more details: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure#map-identity-provider-idp-settings

Answer 3

Dat Vu 116

As I understand the pattern: "http://adfs.test.com/adfs/services/trust" is replaced by "https://sts.windows.net/{tenant-id}/" ?

It seems doesn't work for my test.

Metadata exchange URL: "https://sts.windows.net/{tenant-id}/mex" => HTTP ERROR 404. It works fine with "https://adfs.test.com/adfs/services/trust/mex"
Username URL: "https://sts.windows.net/{tenant-id}/13/usernamemixed"
Kerberos URL: "https://sts.windows.net/{tenant-id}/13/kerberosmixed"

Normally the metadata exchange URL should provide information about all "<wsdl:port>" including Usernamemixed and Kerberosmixed. Please advise.

Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2020-04-30T16:03:43.897+00:00

The article I linked to above gives you the URL to the metadata document...
Dat Vu 116 Reputation points

2020-05-01T16:44:36.34+00:00

@Vasil Michev without the actual WS-Trust endpoint (from Exchange Metadata) to talk with, should I assume Azure AD does not support WS-Trust?

This is a very important feature that needs to be confirmed before our project move from ADFS to Azure AD. Please advise.

Answer 4

Dat Vu 116

I think that is the Federation metadata, not Exchange metadata.

I checked to content and it is for SAML authentication, not WS-Trust.

https://login.windows.net/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-id}

In ADFS, there are two separate metadata URLs:

Federation metadata (for SAML): https://adfs.test.com/FederationMetadata/2007-06/FederationMetadata.xml
Exchange metadata (for WS-Trust): https://adfs.test.com/adfs/services/trust/mex

Not sure how Azure AD handles the Exchange metadata URLs. I'm confused.

soumi-MSFT 11,831 Reputation points Microsoft Employee Moderator

2020-05-06T08:13:24.72+00:00

@Dat Vu , I apologize for the delay in response on this. The WS-Fed endpoint of AAD would be:
https://login.microsoftonline.com/2249770e-f2a1-4ce2-a65a-1c70897dd1de/wsfed

You can find the supported endpoints that AAD listens on under: Azure AD ---> App Registrations ---> Endpoints

Also would like to share that since Exchange Online is a First Party SaaS application its already pre-configured with AAD. In case of ADFS only the configuration with Exchange Online comes into picture.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
Dat Vu 116 Reputation points

2020-05-06T16:29:19.09+00:00
@soumi-MSFT I think that is the WS-Federation endpoint. I tried the WS-Fed url and it worked fine with WS-Federation protocol. However, I was looking for the WS-Trust , a different authentication protocol.

Also, "Exchange Online" is not what I meant. The exchange I was talking about is WS-Trust exchange metadata (a STS's wsdl).
In ADFS, it is:

https://[adfs.test.com]/adfs/services/trust/mex

I just want to find out the equivalent URL in Azure AD.

The content of WS-Trust metadata URL should be in wsdl format (for SOAP web services) and starts like this:

<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"
soumi-MSFT 11,831 Reputation points Microsoft Employee Moderator

2020-05-06T16:43:23.107+00:00

@Dat Vu , Thanks a lot for sharing the information. I somewhere misunderstood the question. Allow me sometime, I will try to get that information for you.
Jordan Lee 6 Reputation points

2021-02-16T15:40:24.497+00:00

I also want to know the answer to this to support. No more information has been shared yet?
Dat Vu 116 Reputation points

2021-02-16T17:08:30.723+00:00

Please see my accepted comment above.

Share via

What is Azure AD's STS url?

3 additional answers

Your answer