Currently, in ACS we use Yahoo as an identity provider. We noticed that Azure B2C doesn't offer Yahoo as a built-in social provider like Azure ACS. Is there a reason for this and will it be added in the near future?
You can create a custom policy. This allows you to integrate with any OpenId Connect provider. It will require a bit of customization, but should be possible since Yahoo supports OpenID Connect.
Here's the steps to get going with custom policies.
Related
How to add authorization through third-party services (for example Instagram or Vk) which are not in the list of Azure AD B2C identity providers?
If the identity provider supports OpenID Connect, you can use the generic OpenID Connect identity provider.
Docs here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp
If they do not, then you need to create a custom policy using the Identity Experience Framework.
There you can define an identity provider which uses various protocols,
but it is quite an advanced scenario.
Custom policy learning curve is quite steep.
Docs for them: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom?tabs=applications
As a service provider, I need to integrate third party oAuth providers beyond what is currently available in the portal. How can I do that? Any pointers will be helpful. If it is not supported, is it in the product road map?
Currently, you have to create custom policies to integrate with other OpenID Connect and OAuth identity providers, such as Azure AD and GitHub.
The "Add support for a generic OpenID Connect Identity Provider" feedback item indicates development has been started for the built-in support of any OpenID Connect or OAuth provider.
I was relying on Azure ACS to offer users the possibility of logging in using, among other providers, their Google accounts.
As I was registering a new Azure ACS namespace I stumbled upon the message that "Google has closed OpenID 2.0 registrations and this feature is deprecated".
Is there another way to use Google as an identity provider in new ACS namespaces? Work-arounds?
Thanks in advance.
I end up replacing ACS by a solution similar to the one described here.
The drawback is that if you are relying on ACS for claims transformation you'll have to implement it yourself.
I am looking at Windows Azure ACS as an alternative to implementing my own username / password scheme in my app. This will be a publicly available website.
In addition to using SSO providers such as Google or Facebook, can I use Windows Azure ACS to support username/password authentication?
I see that it supports Active Directory as a provider. I am not sure this is the right thing as I have always thought of Active Directory as an "enterprise" provider.
Windows Azure ACS does not support username/password authentication in the form you need. Shahin outlined it in details.
Your options really are:
Windows Azure Active Directory (WAAD)
Identity Server (IdSVR)
While classic on-premises Active Directory deployed with a Domain Controller option is indeed quite enterprisy, WAAD is not exact copy of the same in the Cloud. I would actually recommend that you give a shot and try out. Using the WAAD Graph API you can fully automate user management in WAAD.
Your second option is based on IdSVR. This is full-featured Identity Server and Security Token Service. It is developed against the best practices in security and is quite easily extensible! While it does not provide out of the box support for user management (user registration, password reset, etc.) it is ASP.NET MVC 4 application. So you can very easily add this features yourself. There actually is an open enhancement planned for User Management API and UI.
Both WAAD and IdSVR integrate well with ACS, so you can provide seamless support for social identities along with own login.
Another service that is still in Beta/Preview is the SocialSTS project. It is kind of extension to Azure ACS and is designed to help you add more identity providers (such as LinkedIn, Twitter, GitHUB, Amazon Login, etc) to your Access Control Service.
You can authenticate directly with the ACS by using Service Identities, but they are not intended to be used for end-user authentication, as the page explains:
Service identities are not intended to be used as end-user credentials. In ACS, service identities are most commonly used in REST web service scenarios, over the OAuth WRAP protocol, where a client requests a SWT token directly from ACS to present to the web service.
I believe this is the only way to directly get a token from the ACS.
I've been browsing a lot on both StackOverflow and a bunch of different Microsoft associated sites and looking at examples etc but I think I'm missing a few key point to the problem in hand.
Scenario:
I'm developing a site that uses Yammer (Facebook style page for those of you who don't know) as a Identity Provider together with ACS to provide the security for my site.
Now Iv'e been trying to follow along with a bunch of exercises from MS on how to build those custom providers (Identity Developer Training Kit) but to the question, do I actually have to build them? Isn't there a way to configure ACS to handle my tokens from Yammer (Powershell commands?)? Or do I have to create a STS provider site and "bridge" Yammer and actually provide ACS with my "own" tokens.
So this question is a little bit on an extension on another one.
The ACS does not support OAuth 2.0 for authentication.
As I understand it; OAuth it for Authorization, the ACS is for Authentication.
It does support WS-Federation and OpenID (although only through the API) identity providers, you just need to add the configuration in the ACS.
So if Yammer has an OpenID or or WS-Federation, you're in business.
If not, it's fairly straight forward to build your own identity provider (thinktecture have one you can use as a starting point: http://weblogs.thinktecture.com/cweyer/2009/05/thinktecture-security-token-service-starter-kit---or-look-ma-even-i-can-have-a-sts.html) which you could use to 'bridge the gap' between some other authentication method and the ACS. You would just need to register it as a WS-Federation identity provider in the ACS using it's FederationMetadata.xml file. Your identity provider would then need to determine whether the user is authentic or not.