How to: Configure Google as an Identity Provider

Updated: June 19, 2015

Applies To: Azure

Important

As of May 19, 2014, new ACS namespaces cannot use Google as an identity provider. ACS namespaces that used Google and were registered before this date are unaffected. For more information, see Release Notes.

Applies To

  • Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS)

Summary

This How To explains how to configure Google as an identity provider ACS. Configuring Google as an identity provider for your ASP.NET web application allows your users to authenticate to your ASP.NET web application by logging on to their Google account.

Contents

  • Objectives

  • Overview

  • Summary of steps

  • Step 1 – Create a Namespace

  • Step 2 – Configure Google as an Identity Provider

  • Step 3 – Configure Trust with Relying Party

  • Step 4 – Configure Token Transformation Rules

  • Step 5 – Review Endpoints Exposed by the Namespace

Objectives

  • Create a Microsoft Azure project and namespace.

  • Configure a namespace to be used with Google as an identity provider.

  • Configure trust and token transformation rules.

  • Become familiar with the endpoint reference, list of services, and metadata endpoints.

Overview

Configuring Google as an identity provider eliminates the need to create and manage authentication and identity management mechanism. It helps the end user experience if there are familiar authentication procedures. Using ACS, it is easy to set up a configuration that allows your application to readily consume it and offer such functionality to end users. This How-To explains how to accomplish this task. The following diagram depicts the overall flow of configuring a relying party of ACS for use.

ACS v2 Workflow

Summary of Steps

To configure Google as an identity provider for your application complete these steps:

  • Step 1 – Create a Namespace

  • Step 2 – Configure Google as an Identity Provider

  • Step 3 – Configure Trust with Relying Party

  • Step 4 – Configure Token Transformation Rules

  • Step 5 – Review Endpoints Exposed by the Namespace

Step 1 – Create a Namespace

This step creates an Access Control namespace in the Azure project. You may skip this step if you want to configure Google as an identity provider for an existing namespace.

To create an Access Control namespace in your Azure project

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To create an Access Control namespace, click New, click App Services, click Access Control, and then click Quick Create. (Or, click Access Control Namespaces before clicking New.)

Step 2 – Configure Google as an Identity Provider

This step shows how to configure Google as an identity provider for an existing namespace.

To configure Google as an identity provider for an existing namespace

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  3. In the ACS portal, click Identity Providers.

  4. On the Add Identity Provider page, click Add and then select Google.

  5. On the Add Google Identity Provider page, click Save.

Step 3 – Configure Trust with the Relying Party

This step shows how to configure trust between your application, called the relying party, and ACS.

To configure the trust

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  3. In the ACS portal, click Relying Party Applications and then click Add.

  4. On the Add Relying Party Application page, specify the following values for the following fields:

    • Name—An arbitrary name of your choice.

    • Realm—The realm is the URI that tokens issued by ACS are valid for.

    • Return URL—The return URL defines the URL that ACS posts the issued token to for a given relying party application.

    • Token format—The token format defines the type of token ACS issues to a relying party application.

    • Token encryption policy—Optionally, ACS can encrypt any SAML 1.1 or SAML 2.0 token issued to a relying party application.

    • Token lifetime—The token lifetime specifies the Time to Live (TTL) for the token issued by ACS to the relying party application.

    • Identity providers—The identity providers field allows you to specify which identity providers to use with your relying party application. Make sure Google is selected.

    • Rule groups—Rule groups contain rules that define which user-identity claims are passed from identity providers to your relying party application.

    • Token signing—ACS signs all security tokens it issues using either an X.509 certificate (with a private key) or a 256-bit symmetric key.

    For more information about each field, see Relying Party Applications.

  5. Click Save.

Step 4 – Configure Token Transformation Rules

This step shows how to configure claims to be sent by ACS to the relying party application. For example, Google does not send user’s email by default. You need to configure the identity provider to supply desired claims to your application and how to transform it. The following procedure outlines how to add a rule to pass through an email address in the token so that your application can use it.

To configure token claims-transformation rules

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  3. In the ACS portal, click Rule Groups and then click Add. Or, you can edit an existing rule group.

  4. Specify a name for your new group, and then click Save.

  5. On the Edit Rule Group, click Add.

  6. On the Add Claim Rule page, specify the following values:

    • Claim Issuer: Select Identity provider and Google.

    • Input claim type: Select Select type and https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

    • Input claim value: Select Any.

    • Output claim type: Select Pass through the input claim type.

    • Output claim value: Select Pass through the input claim value.

    • Optionally, in Description, add a description of the rule.

  7. On the Edit Rule Group and Rule Groups pages, click Save.

  8. Click desired Relying party applications.

  9. Scroll down to the Rule Groups section, select the new Rule Group, and then click Save.

Step 5 – Review Endpoints Exposed by the Namespace

This step familiarizes you with the endpoints that ACS exposes. For example, ACS exposes the WS-Federation metadata endpoint that is used by FedUtil when configuring ASP.NET web applications for federated authentication.

To review the endpoints exposed by ACS

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  3. In the ACS portal, click Application integration

  4. Review the Endpoint Reference table. For example, the WS-Federation metadata exposed by the URL should be similar to the following (your namespace will be different).

    https://my-namespace1.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml
    

See Also

Concepts

ACS How To's