How to map identity provider claim value to/from identity provider registered in Azure ACS?
Question
Azure allows us to retrieve a list of registered identity providers by getting:
https://YourNamespace.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?
protocol=wsfederation&
realm=YourAppRealm&
reply_to=YourAppReturnURL&
version=1.0
When a user sign in we get an identity provider claim that identifies which provider that was used for authentication.
The problem is that the IdentityProvider.js resource does not tell us which identity provider claim that will be used.
For example:
- Windows Live ID use the claim value
uri:WindowsLiveID - Google use the claim value
Google - An ADFS identity provider may use a claim value like
http://adfs.mycompany.com/adfs/services/trust
I need to be able to map to/from identity provider claim values and the identity providers listed by IdentityProviders.js .
The reason for this is that I need to allow permissions to be assigned to users identified by a particular identity provider. To make it easy for the user I want to give them a list of identity providers to choose from (ie by presenting data fetched from IdentityProviders.js ). However, the actual assignment must be made using the identity provider claim value since that's what identifies the provider.
Is this possible? Are there any workarounds?
Any help would be appreciated!
4 answers
solution1
1 ACCPTED 2013-06-27 18:50:19
IdentityProviders.js isn't meant for this purpose which is why you're having this issue. The simplest solution is to hard-code these values in your app. If you don't want to do that, you can get these values via the OData Management Service. For each Identity Provider you find via the management service, the IdentityProvider claim value will be idp.Issuer.Name, while the value listed in IdentityProviders.js will be idp.LoginLinkName (or idp.DisplayName if LoginLinkName isn't specified).
solution2
1 2013-07-01 06:06:45
You can configure your own values for identity provider by using "Rule group -> "choose one" -> "Add", then leave "input claim ..." as any/any and configure output claim type with same custom claim type for each identity provider, for example:
"http://mycustomtype.com/usethisclaimvalue" + "uri:WindowsLiveID"
for Windows Live.
Then you can use this added claim as a source for switch operator inside application.
solution3
0 2013-06-25 15:03:53
I tried to do this last week and couldn't find a way to match the value in the claim to the value in IdentityProvider.js. I landed up looking for specific values. The only thing I can suggest is some resource/code that understands the mapping. I was just looking for a specific one and landed up doing something like this:
return (HttpContext.User.Identity as System.Security.Claims.ClaimsIdentity).Claims
.First(x => x.Type == "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider").Value
.Contains("Google")
I searched high and low for the data, but couldn't find it. If you do, please submit an answer, I would also like to know
solution4
0 2013-07-02 20:54:42
The way I solved this was by creating a custom rule in the ACS for each of my Identity Providers where I hard coded the output value to match the name value from the IdentityProvider.js. This way, the hard coded values are in the ACS and are not application specific in case you have multiple applications.
Here is an example of how I set up a rule. - http://screencast.com/t/jfDqX0cqu
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.