Yahoo! as an ACS Identity Provider
Updated: June 19, 2015
Applies To: Azure
Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) supports federation with Yahoo! as an identity provider using the OpenID 2.0 authentication protocol. There are no prerequisites that you must complete before you can add Yahoo! as an identity provider in an Access Control namespace. In the context of ACS, Yahoo! is a preconfigured identity provider.
Configuring with the ACS Management Portal
You have to configure the following settings when you add Yahoo! as an identity provider using the ACS Management Portal:
Login link text—Specifies the text that is displayed for the Yahoo! identity provider on the login page of your web application. For more information, see Login Pages and Home Realm Discovery.
Image URL (optional)—Associates a URL with an image file (for example, a logo of your choice) that you can display as the login link for this identity provider. This logo automatically appears on the default login page for your ACS-aware web application, as well as in your web application’s JSON feed that you can use to render a custom login page. If you do not specify an image URL, then a text login link for this identity provider is displayed on the login page of your web application. If you specify an image URL, it is strongly recommended that it be pointed to a trusted source, for example, your own web site or application, using HTTPS to prevent browser security warnings. Also, any image that is larger than 240 pixels in width and 40 pixels in height is automatically resized on the default ACS home realm discovery page. To download a login image for Yahoo!, see Yahoo! OpenId Buttons (https://go.microsoft.com/fwlink/?LinkID=214049).
Relying party application—Specifies all existing relying party applications that you want to associate with the Yahoo! identity provider. For more information, see Relying Party Applications.
After an identity provider is associated with a relying party application, rules for that identity provider must be generated or added manually in a relying party application’s rule group to complete the configuration. For more information about creating rules, see Rule Groups and Rules.
Supported claim types
After a user authenticates with an identity provider, they receive a token populated with identity claims. Claims are pieces of information about the user, such as an email address or a unique ID. ACS can pass these claims directly through to the relying party application or make authorization decisions based on the values they contain.
By default, claims types in ACS are uniquely identified using a URI for compliance with the SAML token specification. These URIs are also used to identity claims in other token formats.
The following table shows the claim types that are available to ACS from Yahoo!
| Claim Type | URI | Description |
|---|---|---|
Name Identifier |
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
A unique identifier for the user account, provided by Yahoo! |
Name |
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
The display name for the user account, provided by Yahoo! |
Email Address |
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
The email address for the user account, provided by Yahoo! |
Identity Provider |
https://schemas.microsoft.com/accesscontrolservice/2010/07/claims/IdentityProvider |
A claim provided by ACS that tells the relying party application that the user authenticated using the default Yahoo! identity provider. The value of this claim is visible in the ACS Management Portal via the Realm field in the Edit Identity Provider page. |