SalesBuy
1-855-856-7678
Technical SupportSupport
Free Trial
*Internet Service Required
Changing Identity Provider for a User
Changing Identity Provider for a User
-
Tuesday, September 13, 2011 3:57 PM
We have an application that allows users to import data from a variety of third-party applications such as Facebook or Google. We are using the Azure ACS for our authentication, and everything works fine as long as the user logs in with the Identity provider for the third-party they want to import data from because we are able to extract data from their claims to authenticate the service calls (example: they login with the Google provider to import contacts from Gmail). The problem is when someone initially logs in with a different provider than the one they want to import data for (example: someone logs in with the Google provider but wants to import photos from Facebook). I have written a script which redirects them to the ACS url for the appropriate provider (so the Google user would be redirected to a Facebook login page for ACS) and the WS Federation response gets posted back to the standard redirect page, however the user's identity is still set the original Identity provider they logged in with.
My main question is how do I invalidate the previous identity and get the server to recognize that user as being authenticated with the new identity provider instead?
ZT
All Replies
-
Tuesday, September 13, 2011 7:09 PM
Assuming you are using WIF see here:
- http://garrettvlieger.com/blog/2010/03/refreshing-claims-in-a-wif-claims-aware-application/
- http://blog.sabratech.co.uk/2009/06/implementing-single-sign-out-scenario.html
However ACS does not support federated sign out... yet.
Developer Security MVP | www.steveonsecurity.com -
Friday, September 16, 2011 1:16 AM
zthorn,
What's the architecture? Is it web or rich client app?
let me echo bact at you to test my understanding:
1. you have an app - seems to my a rich client app.
2. you manage users using ACS
3. the rich app can make a call to gmail services or fb service API.
4. When signing with one IdP it fails to make a call to another as it keeps previously acquired token?
If that's correct and that's rich client app - you should maintain the tokens from different providers at the app level and use them with appropriate services from the relevant IdP. Example, FB can be accessed with access toke avail in the ACS token after succesful authentication
Example:
Helps?
alik levin | http://blogs.msdn.com/alikl | www.PracticeThis.com- Marked As Answer by MingXu-MSFTModerator Monday, September 19, 2011 6:06 AM
