I have been using ACS for 18 months and it has worked just great. I now however have a scenario whereby I need to migrate an extranet application that uses ACS to federate authentication to Windows Live (Microsoft), Google and Yahoo! to a new Azure subscription. This is not a problem for those users who authenticate via Google and Yahoo! as the claim used for identity is their email address - so I can simply plug in the new ACS namespace, point the authentication module at the new namespaces and the users can log in as before and be associated with their existing profile. All permissions granted (i.e authorization) are on the email claim and thus all works as expected. Seamless.
Now the catch. As we all know Microsoft do not provide an email claim for security and privacy reasons and so in the current solution these users are authorized via the provided nameidentifier claim (or PUID). The PUID is unique to the namespace. Or so I
thought. My plan was to delete the namespace and recreate it exactly the same, e.g. blah.accesscontrol.windows.net is deleted and a new namespace created with blah.accesscontrol.windows.net. My thinking was that this would mean that the PUID passed through
ACS as the nameidentifier claim would therefore be the same for registered users and so I could make this change behind the scenes with the users having no knowledge of it. However, my tests appear to show that even with an identical namspace within the same
subcruption a user will have differnet PUIDs with each and so any existing profile would be lost and the user would have no access to secure areas. Am I missing something?
One solution would be to contact all users authenticating with Microsoft accounts and ask them to re-register. I could then remap authorization rules to their new profiles.
A second and more involved solution may be to somehow integrate ACS with the Live Connect API using OAuth 2.0, thus retrieving the users email address (with their permission) and using this as the claim for authorization. I fear this would be a lot of work and introduces additional complexity for those users. Is this sensible and/or feasible? Anyone got any pointers on this? I know ACS now supports OAuth 2.0 but am unclear how this can be used subsequent to the authentication process and how ACS can be used to aid with the renew token so that the user is not continually asked for permission to share their email address.
All suggestions gratefully received!