Facebook as an ACS Identity Provider

Updated: June 19, 2015

Applies To: Azure

Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) supports Facebook as an identity provider for web sites and web applications. ACS support for Facebook is built using the Facebook Graph API, which enables federated authentication and authorization for Facebook user accounts.

Configuring a prerequisite Facebook application

To add Facebook as an identity provider in your Access Control namespace, you must first create a Facebook application and supply it with the necessary parameters to communicate with ACS. For more information, see How to: Configure Facebook as an Identity Provider.

Configuring with the ACS Management Portal

Once your Facebook application is created and you want to add Facebook as an identity provider in the Access Control namespace, you must specify the following settings using the ACS Management Portal:

  • Display name—Specifies the display name of your identity provider. This name is used in the ACS Management Portal only.

  • Application ID—Specifies the Application ID that you can copy from your Facebook application.

  • Application secret—Specifies the application secret that you can copy from your Facebook Connect application.

  • Application permissions—Specifies any extended permissions that you want to request from the users of your Facebook application when they log in. For more information about the permissions that you can request, see Permissions (https://go.microsoft.com/fwlink/?LinkID=214014). The permission to access Facebook users' email addresses is provided by default and additional permissions must be delimited by commas. Once permissions are configured, your relying party application can use the issued Facebook access token to request the additional user information using the Facebook Graph API. For more information, see Access Token claim type in Supported claim types.

  • Login link text—Specifies the text that is displayed for the Facebook identity provider on the login page of your web application. For more information, see Login Pages and Home Realm Discovery.

  • Image URL (optional)—Specifies a URL to an image file (for example, a logo of your choice) that you can display as the login link for this identity provider. This logo automatically appears on the default login page for your ACS-aware web application, as well as in your web application’s JSON feed that you can use to render a custom login page. If you do not specify an image URL, then a text login link for this identity provider is displayed on the login page of your web application. If you specify an image URL, it is strongly recommended that it be pointed to a trusted source, for example, your own web site or application, using HTTPS to prevent browser security warnings. Also, any image that is larger than 240 pixels in width and 40 pixels in height is automatically resized on the default ACS home realm discovery page.

  • Relying party application—Specifies all existing relying party applications that you want to associate with the Facebook identity provider. For more information, see Relying Party Applications.

After an identity provider is associated with a relying party application, rules for that identity provider must be generated or added manually in a relying party application’s rule group to complete the configuration. For more information about creating rules, see Rule Groups and Rules.

Supported claim types

After a user authenticates with an identity provider, they receive a token populated with identity claims. Claims are pieces of information about the user, such as an email address or a unique ID. ACS can pass these claims directly through to the relying party application, or make authorization decisions based on the values they contain.

By default, claim types in ACS are uniquely identified using a URI for compliance with the SAML token specification. These URIs are also used to identify claims in other token formats.

The following table shows the claim types that are available to ACS for Facebook identity providers.

Claim Type URI Description

Name Identifier

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

A unique identifier (uid) for the user account, provided by Facebook.

Name

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

The display name for the user account, provided by Facebook.

Email Address

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

The email address for the user account, provided by Facebook. Note that this claim type is only provided if “email” is configured as an application permission, which it is by default in the ACS Management Portal.

Access Token

http://www.facebook.com/claims/AccessToken

The Facebook OAuth 2.0 access token for the current user session. This access token can be used to make calls back to Facebook using the Graph API. For more information, see Graph API.

Expiration

https://schemas.xmlsoap.org/ws/2008/06/identity/claims/expiration

The date and time in Coordinated Universal Time (UTC) at which the access token expires.

Note

This claim type is not present if the offline_access permission is requested.

Identity Provider

https://schemas.microsoft.com/accesscontrolservice/2010/07/claims/IdentityProvider

A claim provided by ACS that tells the relying party application that the user authenticated using a particular Facebook application. The format of this claim value is Facebook-<Application ID>, and the actual value is visible in the ACS Management Portal via the Realm field on the Edit Identity Provider page.

See Also

Concepts

Identity Providers