Windows Live ID as an ACS Identity Provider
Updated: June 19, 2015
Applies To: Azure
When a new Access Control namespace is created, Windows Live ID (Microsoft account) is added as a default identity provider and it cannot be deleted. This functionality enables federated authentication for the ACS Management Portal, in which the ACS Management Portal is configured as a relying party application in your Access Control namespace and Windows Live ID is an identity provider that is associated with this relying party application. To prevent loss of access to the ACS Management Portal, the Windows Live ID identity provider cannot be deleted. However, in ACS, an identity provider can be associated with more than one relying party application and a relying party application can use multiple identity providers.
Using the ACS Management Portal
You can use the ACS Management Portal to configure the following Windows Live ID identity provider settings.
Login link text—Specifies the text that is displayed for the Windows Live ID identity provider on the login page of your web application. For more information, see Login Pages and Home Realm Discovery.
Image URL (optional)—Specifies the URL to an image file (for example, a logo of your choice) that you can display as the login link for this identity provider. This logo automatically appears on the default login page for your ACS-aware web application, as well as in your web application’s JSON feed that you can use to render a custom login page. If you do not specify an image URL, then a text login link for this identity provider is displayed on the login page of your web application. If you specify an image URL, it is strongly recommended that it be pointed to a trusted source, for example, your own web site or application, using HTTPS to prevent browser security warnings. Also, any image that is larger than 240 pixels in width and 40 pixels in height is automatically resized on the default ACS home realm discovery page.
Relying party application—Specifies all existing relying party applications that you want to associate with Windows Live ID. For more information, see Relying Party Applications.
After an identity provider is associated with a relying party application, rules for that identity provider must be generated or added manually in a relying party application’s rule group to complete the configuration. For more information about creating rules, see Rule Groups and Rules.
Supported claim types
After a user authenticates with an identity provider, they receive a token that is populated with identity claims. Claims are pieces of information about the user, such as an email address or a unique ID. ACS can pass these claims directly through to the relying party application, or make authorization decisions based on the values they contain.
By default, claim types in ACS are uniquely identified using a URI for compliance with the SAML token specification. These URIs are also used to identify claims in other token formats.
The following table shows the claim types that are available to ACS from Windows Live ID (Microsoft account).
| Claim Type | URI | Description |
|---|---|---|
Name Identifier |
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
A unique identifier for the user account, provided by Windows Live ID. |
Identity Provider |
https://schemas.microsoft.com/accesscontrolservice/2010/07/claims/IdentityProvider |
A claim provided by ACS that tells the relying party application that the user authenticated using the default Windows Live ID identity provider. The value of this claim is visible in the ACS Management Portal via the Realm field on the Edit Identity Provider page. |