Identity Providers

Updated: June 19, 2015

Applies To: Azure

Important

ACS namespaces can migrate their Google identity provider configurations from OpenID 2.0 to OpenID Connect. Migration must be completed before June 1, 2015. For detailed guidance, see Migrating ACS Namespaces to Google OpenID Connect.

In Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS), an identity provider is a service that authenticates user or client identities and issues security tokens that ACS consumes. When an identity provider is configured, ACS trusts tokens issued by that identity provider and uses the claims in those tokens as inputs to the ACS rules engine. The ACS rules engine transforms or passes through these claims and includes them in the token that it issues to the relying party applications. The owner of an Access Control namespace can configure one or more identity providers in their namespace.

In ACS, an identity provider can be associated with more than one relying party application. Similarly, an ACS relying party application can be associated with more than one identity provider. For more information about relying party applications, see Relying Party Applications.

The ACS Management Portal provides built-in support for configuring the following identity providers:

• Windows Live ID as an ACS Identity Provider

• Facebook as an ACS Identity Provider

• Google as an ACS Identity Provider

• Yahoo! as an ACS Identity Provider

• WS-Federation Identity Providers

In addition to these identity providers, ACS supports configuration of the following identity provider types programmatically through the ACS Management Service:

• WS-Trust Identity Providers

• OpenID-Based Identity Providers

WS-Trust Identity Providers

WS-Trust identity providers pass identity claims to ACS using the WS-Trust protocol and are most frequently used in web service scenarios. Many WS-Trust identity providers also support WS-Federation and can be configured in ACS as WS-Federation identity providers to create the required trust relationship. An example of a WS-Trust identity provider is (also a WS-Federation identity provider), which allows you to integrate your enterprise Active Directory service accounts with ACS. For more information, see How to: Configure AD FS 2.0 as an Identity Provider.

OpenID-Based Identity Providers

ACS supports federation with OpenID-based identity providers for web sites and web applications, using the OpenID 2.0 authentication protocol. The ACS OpenID implementation allows an OpenID authentication endpoint to be configured as part of an identity provider entity in ACS. When an ACS login page is rendered for a relying party application, ACS constructs an OpenID authentication request as part of the login URL for the identity provider. After a user selects the identity provider and logs in at the requested URL, the OpenID response is returned to the ACS where it is processed by the ACS rules engine. ACS retrieves OpenID user attributes using the OpenID Attribute Exchange Extension and maps these attributes to claims that are then output in the token response issued to the relying party application.

Two examples of OpenID-based identity providers that ACS supports are Google and Yahoo!, which can be configured in the ACS Management Portal. For more information, see Google and Yahoo!.

Other identity providers that support OpenID 2.0 authentication endpoints can be configured programmatically using the ACS Management Service. For more information, see How to: Use ACS Management Service to Configure an OpenID Identity Provider.

Supported claim types

The following table shows the claim types that are available to ACS from OpenID identity providers. By default, claims types in ACS are uniquely identified using a URI for compliance with the SAML token specification. These URIs are also used to identify claims in other token formats.

Claim Type	URI	Description
Name Identifier	https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	An openid.claimed_id value returned by the identity provider.
Name	https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Attribute http://axschema.org/namePerson returned by the identity provider via the OpenID Attribute Exchange extension. If this attribute is not present, the claim value will be the concatenation of http://axschema.org/namePerson/first and http://axschema.org/namePerson/last.
Email Address	https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	Attribute http://axschema.org/contact/email returned by the identity provider via the OpenID Attribute Exchange extension.
Identity Provider	https://schemas.microsoft.com/accesscontrolservice/2010/07/claims/IdentityProvider	A claim provided by ACS that tells the relying party application which OpenID identity provider is used to authenticate the user.

See Also

Concepts

ACS 2.0 Components