none
ACS and LiveID : Is the ID consistent amongst RPs in the same account? ... across different accounts?

    Question

  • I need to determine what operations are safe to do with users who are using LiveID for authentication.  My backend relies on IDs to grant access to users, and that ID has to be consistent across migrations of my project.

     

    Can someone tell me if the unique ID returned for a user from the ACS is consistent between

    * Labs ACS and Prod ACS

    * Different relying parties in different subscriptions  (in prod)

    * Different RPs in the same subscription

    * If I delete and rebuild the RP to the same realm, same account

    Friday, April 08, 2011 8:50 PM

Answers

  • The user ID that you receive from ACS for Windows Live ID will be specific to that user at your service namespace.  If you use a different service namespace, you'll get a different value for the same user.  So to answer your questions:

    * Labs ACS and Prod ACS [Different IDs]

    * Different relying parties in different subscriptions (in prod) [Different IDs]

    * Different RPs in the same subscription [Same ID if the service namespace is the same, different for 2 namespaces in the same subscription]

    * If I delete and rebuild the RP to the same realm, same account [Same ID]

    Friday, April 08, 2011 10:58 PM

All replies

  • The user ID that you receive from ACS for Windows Live ID will be specific to that user at your service namespace.  If you use a different service namespace, you'll get a different value for the same user.  So to answer your questions:

    * Labs ACS and Prod ACS [Different IDs]

    * Different relying parties in different subscriptions (in prod) [Different IDs]

    * Different RPs in the same subscription [Same ID if the service namespace is the same, different for 2 namespaces in the same subscription]

    * If I delete and rebuild the RP to the same realm, same account [Same ID]

    Friday, April 08, 2011 10:58 PM
  • Thanks Oren

     

    Since the Azure ServiceBus/ACS FAQ mentions the need to purchase multiple namespaces if

    (1) More than one connection Pack is needed (for example two packs of 100)

    (2) According to support, if I exceed the maximum number of Service Identities (default is 200max, ??? is system max)

    How can I consider using LiveID for my production application if I have to re-verify the user for each ACS namespace that is dictated by the ACS architecture?

     

    Is this considered a bug, are there workarounds planned?

     


    Saturday, April 09, 2011 2:03 AM
  • Can you explain more about your scenario?  If you're going to try using multiple ACS service namespaces to authenticate to the same service, how are you going to decide which namespace to send your users to?
    Tuesday, April 12, 2011 6:27 PM
  • I'm still in the design phase, and am still sorting out the feasibility of different approaches.  One requirement of multiple namespaces depends on the restrictions put in place on the ACS service.

    If I outgrow the ACS, which is likely given the current limits, I must come up with a solution or an alternate method of authentication.

    I haven't yet figured out how to associate users to namespaces yet... since I have yet to hear back from the ACS support team to determine how rigid the limitations are.

    Tuesday, April 12, 2011 7:36 PM