All geek questions in one place

How do I match the cost of an identity provider requirements with an identity provider registered with Azure ACS?

Azure allows us to get a list of registered identity providers by receiving:

https://YourNamespace.accesscontrol.windows.net/v2/metadata/IdentityProviders.js? protocol=wsfederation& realm=YourAppRealm& reply_to=YourAppReturnURL& version=1.0

When a user logs in, we receive a request from an identity card provider that identifies the provider that was used for authentication.

The problem is that the IdentityProvider.js resource does not tell us which identity provider application will be used.

For instance:

  • Windows Live ID uses uri:WindowsLiveID claim value uri:WindowsLiveID
  • Google use claim value Google
  • ADFS Identity Provider may use claim value, e.g. http://adfs.mycompany.com/adfs/services/trust

I need to be able to map the identity provider identifier values ​​to the identity providers listed in IdentityProviders.js .

The reason for this is that I need to be allowed to assign permissions to users defined by a particular identity provider. To make it easier for the user, I want to provide them with a list of identity providers to choose from (that is, by presenting data obtained from IdentityProviders.js ). However, the actual assignment must be made using the claim value of the identifier provider, as it identifies the supplier.

Is it possible? Are there any workarounds?

Any help would be appreciated!

+4
source share
4 answers

IdentityProviders.js is not intended for this purpose, so you are having this problem. The easiest solution is to hard-code these values ​​in your application. If you do not want to do this, you can get these values ​​through the OData management service. For each identity provider that you find through the management service, the value of the IdentityProvider claim will be idp.Issuer.Name, and the value specified in IdentityProviders.js will be idp.LoginLinkName (or idp.DisplayName if LoginLinkName is not specified).

+1
source

You can configure your own values ​​for the identity provider using "Rule group →" select one "->" Add ", then leave the" input request ... "as any / any and configure the output type with the same settings as the application type for each identity provider , eg:

 "http://mycustomtype.com/usethisclaimvalue" + "uri:WindowsLiveID"

for Windows Live.

You can then use this added claim as a source for the switch statement inside the application.

+1
source

I tried to do this last week and could not find a way to match the value in the formula with the value requirement in IdentityProvider.js. I landed in search of specific values. The only thing I can offer is some resource / code that the mapping understands. I just searched for a specific one and landed, doing something like this:

 return (HttpContext.User.Identity as System.Security.Claims.ClaimsIdentity).Claims .First(x => x.Type == "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider").Value .Contains("Google")

I searched for high and low data, but could not find it. If yes, send an answer, I would also like to know

0
source

As I solved this, a custom rule was created in ACS for each of my identity providers, where I hard-coded the output value to match the name value from IdentityProvider.js. Thus, hardcoded values ​​are in ACS and are not application specific if you have multiple applications.

Here is an example of how I set the rule. - http://screencast.com/t/jfDqX0cqu

0
source

Source: https://habr.com/ru/post/1488066/

More articles:


All Articles