Login/Register
Associate multiple claims based identity providers to one user with ASP.NET
Asked Answered
Solved asp.net-mvc-4claims-based-identity.net-4.5acs
B

2

6

In an ASP.NET MVC 4 application using the .NET 4.5 framework in conjunction with Azure Access Control Service (ACS), I want to provide the users multiple authentication possibilities (i.e. Google, Facebook, Windows Live, etc.). What is the "best practice" for associating a single user to multiple identity providers?

For example, say the user logs in with Google one day, then goes to another browser the next day and logs in with Facebook. How would I know to associate the Facebook login with the previous Google login to the same user?

Budwig answered 18/6, 2012 at 5:19 Comment(0)
B
2

If you are using ACS, you can translate the information from each IdP (e.g. Gogle, Yahoo!, FB, etc) to a common handle using claims transformation on ACS. A common handle people use is the users e-mail. But if you want to accept many e-mails mapping to the same user, then you'd introduce your own unique id (as a claim) and map IdP supplied claims into it:

  • [email protected] (e-mail - Google) -> (UserId - YourApp) user_1234
  • [email protected] (email - Yahoo!) -> (UserId - YourApp) user_1234
  • 64746374613847349 (NameIdentifier - LiveId) -> (UserId - YourApp) user_1234

You can automate this through ACS API. You should also probably handle the first time user logs in into your site (e.g. asking user for an e-mail and sending a confirmation message that will trigger the mapping).

Presumably, you are using this information to retrieve data from a local database in your app, otherwise, you could just encode everything in claims and not worry about any equivalences. Claims are often a good place to encode common profile data. (e.g. Roles, etc)

Backdate answered 18/6, 2012 at 14:52 Comment(2)
My thoughts were to use an application specific database to hold user specific data (in other words, claims). With the .net 4.5 claims based Identity functionality, could I take the claims that ACS generates for me and add to it some custom claims (once I associate the IdP identity to the site-specific identity)?Budwig
You can add the custom claims in your app (see "ClaimsAuthenticationManager") or you can simply store those custom claims in ACS itself. (As rules: [email protected] -> (SomeClaim) somevalue). Here's the link for the ClaimsAuthnManager: msdn.microsoft.com/en-us/library/…Backdate
A
3

Look no further than stackoverflow itself for a good example of this. Click your user profile and then select "my logins".

When a user creates their account, they select which identity provider you want to use to sign in. Under the hood, your application creates a new site-specific unique user ID, and links it with a 3rd party provided unique ID. (You might use email, but most identity providers will also provide a unique user ID claim that doesn't change, even if the user changes their email)

Now, after the user has signed in, they have an account management control panel through which they can establish additional links to other identity providers.

I see two options for achieving this:

  1. Have your MVC application persist account links. When a user signs in, you query your account link store using the 3rd party unique ID claim and resolve your site specific unique user ID.

  2. Use the ACS rules engine. You would create one rule per account link. For example, lets say I can sign in with either gmail or liveid and my unique id is 1234. Two rules look like this:

For the unique ID output claim type, you can pick from the available claim types or designate your own. ACS has an OData based management service which you can use to create these rules programmatically from your MVC application. Here's a code sample.

Almaraz answered 18/6, 2012 at 14:45 Comment(2)
With the ACS rules engine, is there some kind of persistence store inside ACS that would allow me to associate known site-specific Id's with IdP Id's via the rules? I haven't seen that.Budwig
The ACS rules engine is effectively your persistence store in the sense that it will persist the rules you add to it. You can not however link the ACS rules engine to fetch claims from an external data store (like you can with ADFS).Almaraz
B
2

If you are using ACS, you can translate the information from each IdP (e.g. Gogle, Yahoo!, FB, etc) to a common handle using claims transformation on ACS. A common handle people use is the users e-mail. But if you want to accept many e-mails mapping to the same user, then you'd introduce your own unique id (as a claim) and map IdP supplied claims into it:

  • [email protected] (e-mail - Google) -> (UserId - YourApp) user_1234
  • [email protected] (email - Yahoo!) -> (UserId - YourApp) user_1234
  • 64746374613847349 (NameIdentifier - LiveId) -> (UserId - YourApp) user_1234

You can automate this through ACS API. You should also probably handle the first time user logs in into your site (e.g. asking user for an e-mail and sending a confirmation message that will trigger the mapping).

Presumably, you are using this information to retrieve data from a local database in your app, otherwise, you could just encode everything in claims and not worry about any equivalences. Claims are often a good place to encode common profile data. (e.g. Roles, etc)

Backdate answered 18/6, 2012 at 14:52 Comment(2)
My thoughts were to use an application specific database to hold user specific data (in other words, claims). With the .net 4.5 claims based Identity functionality, could I take the claims that ACS generates for me and add to it some custom claims (once I associate the IdP identity to the site-specific identity)?Budwig
You can add the custom claims in your app (see "ClaimsAuthenticationManager") or you can simply store those custom claims in ACS itself. (As rules: [email protected] -> (SomeClaim) somevalue). Here's the link for the ClaimsAuthnManager: msdn.microsoft.com/en-us/library/…Backdate

© 2022 - 2024 — McMap. All rights reserved.