Login Pages and Home Realm Discovery

ACS hosts a basic federated login page that can be used with your relying party application. This login page is hosted at the WS-Federation protocol endpoint for your namespace and can be accessed by crafting a URL such as the following.

https://YourNamespace.accesscontrol.windows.net/v2/wsfederation?wa=wsignin1.0&wtrealm=YourAppRealm&redirect=false

In this URL, replace YourNamespace with the name of your Access Control namespace. In addition, this URL requires the following parameters:

wa—Set to wsignin1.0
wtrealm—Set to the Realm you entered for your relying party application in the ACS Management Portal

You can find the exact login page links for all of your relying party applications by completing the following steps:

Launch the ACS Management Portal. For more information, see ACS Management Portal.
Click Application integration in the tree on the left-hand side under the Development section, and then on the Application Integration page, click the Login pages link.
Click the relying party application for which you want to view the exact login page link.

You are redirected to the Login Page Integration: <relying_party_application_name> page, where <relying_party_application_name> is the name of your relying party application. You can find the exact login page link for this relying party application in the text box under Option 1: Link to an ACS-hosted login page.

The following figure describes what the default login page looks like with Windows Live ID, Google, Yahoo!, Facebook, and a WS-Federation identity provider (Contoso Corp.) configured.

If you add email address suffixes for your WS-Federation identity provider in the ACS Management Portal, then an input for an email address appears instead of a button for that identity provider. The following figure describes this case. This can be useful if a large number of WS-Federation identity providers are configured for your relying party application.

To expedite the integration of ACS with your relying party application, it is recommended that you use the default ACS-hosted login page. To customize the layout and appearance of this page, you can save the default login page as an HTML file and copy the HTML and JavaScript to your application where it can be customized.

To enable full control over the appearance, behavior, and location of your federated login page, ACS provides a JSON-encoded metadata feed with the names, login URLs, images, and email domain names (AD FS 2.0 only) for your identity providers. This feed is known as the Home Realm Discovery Metadata Feed.

Example custom login page

You can download an example HTML login page for each of your relying party applications by completing the following steps:

Launch the ACS Management Portal. For more information, see ACS Management Portal.
Click Application integration in the tree on the left-hand side under the Development section, and then on the Application Integration page, click the Login pages link.
Click the relying party application for which you want to view the exact login page link.

You are redirected to the Login Page Integration: <relying_party_application_name> page, where <relying_party_application_name> is the name of your relying party application.
Click Download Example Login Page under Option 2: Host the login page as part of your application.

The example HTML code is identical to the HTML code for the ACS-hosted login page.

This page calls the metadata feed using a script tag near the bottom of the HTML code and JavaScript functions for rendering the page are shown above that. Custom login pages can consume the metadata using pure client-side HTML and JavaScript (as shown in the example), however the feed can also be consumed by any language that supports JSON encoding to render a custom login control.

Home Realm Discovery Metadata Feed

You can view the exact home realm discovery metadata feed URL for all of your relying party applications by completing the following steps:

Launch the ACS Management Portal. For more information, see ACS Management Portal.
Click Application integration in the tree on the left-hand side under the Development section, and then, on the Application Integration page, click the Login pages link.
Click the relying party application for which you want to view the exact login page link.

You are redirected to the Login Page Integration: <relying_party_application_name> page, where <relying_party_application_name> is the name of your relying party application.

The URL is located under Option 2: Host the login page as part of your application.

The following is an example HRD feed URL.

https://YourNamespace.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=YourAppRealm&reply_to=YourAppReturnURL&context=&version=1.0&callback=OptionalFunctionName

This URL uses the following parameters:

YourNamespace—Required. Set to the name of your Windows Azure namespace.
protocol—Required. This is the protocol that your relying party application uses to communicate with ACS. In ACS this value must be set to wsfederation.
realm—Required. This is the Realm that you specified for your relying party application in the ACS Management Portal.
version—Required. In ACS this value must be set to 1.0.
reply_to—Optional. This is the Return URL that you specified for your relying party application in the ACS Management Portal. If omitted, the Return URL is set to the default value that is configured for your relying party application in the ACS Management Portal.
context—Optional. This is any additional context that can be passed back to the relying party application in the token. ACS does not recognize these contents.
callback—Optional. You can set this parameter to the name of a JavaScript function that you want to run when the JSON feed is loaded. The JSON feed string is the argument that is passed to this function.

Note
The JSON-encoded metadata feed may be subject to change therefore it is recommended that you do not cache it.

JSON feed data format

When the metadata feed is requested with valid parameters as previously described, the response is a document containing a JSON-encoded array of arrays, with each internal array representing an identity provider with the following fields:

Name—The human-readable display name for the identity provider.
LoginUrl—A constructed login request URL.
LogoutUrl—This URL allows end users to sign out of the identity provider they signed in with. This is currently only supported for AD FS 2.0 and Windows Live ID and is empty for other identity providers.
ImageUrl—The image to display, as configured in the ACS Management Portal. Blank if there is no image.
EmailAddressSuffixes—An array of email address suffixes associated with the identity provider. In ACS, email address suffixes can only be configured for AD FS 2.0 identity providers via the ACS Management Portal. Returns an empty array if there are no suffixes configured.

The following example shows what the JSON feed would look like if two identity providers are configured—Windows Live ID and an AD FS 2.0. The user has set an image URL for Windows Live ID in the ACS Management Portal and associated an email domain suffix for the AD FS 2.0 identity provider.

Note
Line breaks have been added for readability and URLs have been simplified for brevity.

[ {
   "Name":"Windows Live ID",
   "LoginUrl":" https://...",
   "LogoutUrl":" https://...",
   "ImageUrl":"https://...",
   "EmailAddressSuffixes":[]
},
{
   "Name":"My ADFS 2.0 Provider",
   "LoginUrl":" https://...",
   "LogoutUrl":" https://...",
   "ImageUrl":"",
   "EmailAddressSuffixes":[“contoso.com”]
} ]

Concepts

ACS 2.0 Components

Login Pages and Home Realm Discovery

Option 1: ACS-Hosted Login Page

Option 2: Host a Custom Login Page as Part of Your Application

Example custom login page

Home Realm Discovery Metadata Feed

JSON feed data format

See Also

Concepts