Saturday, June 16, 2012 8:01 PM
We need a persistent identifier for users of our application, but want to use external authentication. We would like to use Azures ACS, but I need to know whether it will provide a persistent "Managed Name Identifier (in SAML 2.0 terms). If so, we could use this identifier to associate the user to his/her information in our application. I have not been able to get an answer to this question and hope that someone can tell me whether it is possible, and how to make it work (or where to find out how to make it work). If not, then we will switch to directly using Google for OpenId authentication because I know that we can get a persistent id from it.
I would appreciate your ideas and suggestions...
Saturday, June 16, 2012 10:27 PM
After a ton of research and experimentation, I have answered these questions...
Q1) Is it possible to get a persistent, unqiue identifier for a user who has been authenticated through ACS?
Azure ACS does support SAML 2.0, so it can provide the nameidentifier value to your application for the authentication provider. When you "Add STS References..." to
your Visual Studio project, it created a file in your project named "Federation Metadata.xml". Open this file and add the following line to the end of the
<auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/nameidentifier" Optional="false" xmlns:auth="http://docs.oasis-
So, now you will receive this item in the claims that are returned after logging into an authentication provider. So, how do you access the nameidentifer value? In
your .aspx.cs file that will be accessed after authentication:
Add the following namespace:
In your method where you will verify the authentication, do the following:
// Cast the Thread.CurrentPrincipal
IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;
// Access IClaimsIdentity which contains claims
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
// Access claims
foreach (Claim claim in claimsIdentity.Claims)
if (claim.ClaimType.CompareTo(@"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier") == 0)
// Okay, let's get the persistent name identifier...
string nameId = claim.Value;
I know that Google ensures that the nameidentifier will be persistent and unique for the user unless you change the domain name that you've assigned when signing up
for authentication services for your domain on their website. We are only using Google for authentication at this time, so we have resolved our issue with the
changes that I have mentioned. A quick look at the results from logging into Live! and Yahoo! is that I am getting sensible nameidentifier values, but I do not know
for a fact that they are persistent and if they are persistent or under what conditions they may change. Hopefully, another user will post info for Live! and Yahoo!
Q2) How to completely log out (i.e. completely log out of Google)
There is a lot of confusion out there about this issue. From what I have read, it is not the intention, at this time, to provide the ability to log out of the
authentication provider when leaving our application because it would affect a user's other sessions in which they signed in using the same authentication provider.
So, we are experimenting with passing the following POPE Extensions when authentication has begun so that when the user logs out of our application, he/she must
enter a password to access it again.
This seems like a reasonable approach, if it works...
Here is where we are at with our logout process, but we are still working on it...
if (FederatedAuthentication.SessionAuthenticationModule != null)
// Redirect to our login page?
Please note that I am simply posting this information in the hope that it may help others... I am not saying that my solution is the best or only one. It simply
meets our requirements.
- Marked As Answer by A Bit of Help Saturday, June 16, 2012 10:27 PM