Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
Does Azure ACS SAML 2.0 Provide Managed Name Identifiers/Persistent Identifiers?

תשובה Does Azure ACS SAML 2.0 Provide Managed Name Identifiers/Persistent Identifiers?

  • Saturday, June 16, 2012 8:01 PM
     
     
    Sign In to Vote
    0

    Hello,

    We need a persistent identifier for users of our application, but want to use external authentication.  We would like to use Azures ACS, but I need to know whether it will provide a persistent "Managed Name Identifier (in SAML 2.0 terms).  If so, we could use this identifier to associate the user to his/her information in our application.  I have not been able to get an answer to this question and hope that someone can tell me whether it is possible, and how to make it work (or where to find out how to make it work).  If not, then we will switch to directly using Google for OpenId authentication because I know that we can get a persistent id from it.

    I would appreciate your ideas and suggestions...

    Thanks,

    Mike

     

All Replies

  • Saturday, June 16, 2012 10:27 PM
     
     Answered
    Sign In to Vote
    0

    Yes.

    After a ton of research and experimentation, I have answered these questions...

    Q1) Is it possible to get a persistent, unqiue identifier for a user who has been authenticated through ACS?

    Azure ACS does support SAML 2.0, so it can provide the nameidentifier value to your application for the authentication provider.  When you "Add STS References..." to

    your Visual Studio project, it created a file in your project named "Federation Metadata.xml".  Open this file and add the following line to the end of the

    <fed:ClaimTypesRequested> list:

    <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/nameidentifier" Optional="false" xmlns:auth="http://docs.oasis-

    open.org/wsfed/authorization/200706" />

    So, now you will receive this item in the claims that are returned after logging into an authentication provider.  So, how do you access the nameidentifer value?  In

    your .aspx.cs file that will be accessed after authentication:

    Add the following namespace:
    using Microsoft.IdentityModel.Claims;

    In your method where you will verify the authentication, do the following:

                if (HttpContext.Current.User.Identity.IsAuthenticated)
                {
                    // Cast the Thread.CurrentPrincipal
                    IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;

                    // Access IClaimsIdentity which contains claims
                    IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;

                    // Access claims
                    foreach (Claim claim in claimsIdentity.Claims)
                    {
                        if (claim.ClaimType.CompareTo(@"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier") == 0)
                        {
                            // Okay, let's get the persistent name identifier...
                            string nameId = claim.Value;
       .
       .
       .
                        }
                    }

    I know that Google ensures that the nameidentifier will be persistent and unique for the user unless you change the domain name that you've assigned when signing up

    for authentication services for your domain on their website.  We are only using Google for authentication at this time, so we have resolved our issue with the

    changes that I have mentioned.  A quick look at the results from logging into Live! and Yahoo! is that I am getting sensible nameidentifier values, but I do not know

    for a fact that they are persistent and if they are persistent or under what conditions they may change.  Hopefully, another user will post info for Live! and Yahoo!

    Q2) How to completely log out (i.e. completely log out of Google)
    There is a lot of confusion out there about this issue.  From what I have read, it is not the intention, at this time, to provide the ability to log out of the

    authentication provider when leaving our application because it would affect a user's other sessions in which they signed in using the same authentication provider. 

    So, we are experimenting with passing the following POPE Extensions when authentication has begun so that when the user logs out of our application, he/she must

    enter a password to access it again.

    openid.ns.pape
    openid.pape.max_auth_age

    This seems like a reasonable approach, if it works...

    Here is where we are at with our logout process, but we are still working on it...
    using Microsoft.IdentityModel.Web;
    using System.Web.Security;
    .
    .
    .
                    if (FederatedAuthentication.SessionAuthenticationModule != null)
                    {                  
                        FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Delete();
                        FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
                        FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
                        FormsAuthentication.SignOut();

                        // Redirect to our login page?
                    }


    Please note that I am simply posting this information in the hope that it may help others...  I am not saying that my solution is the best or only one.  It simply

    meets our requirements. 

    Thanks,

    Mike

     

    • Marked As Answer by A Bit of Help Saturday, June 16, 2012 10:27 PM
    •