ACS - bypassing user redirection to IdP?

2

I have only recently been looking into ACS, AAL, WAAD and I would like to avoid redirecting users to the login page of their IDP. I want to keep my users within my site and present them with a dropdown to choose who they wish to authenticate with and an area to request a username and password, then acquire token via code. Is this possible?

I have been reviewing some sample applications and produce a quick mock-up, but cant seem to get things working e.g.

        _authContext = new AuthenticationContext("https://littledeadbunny.accesscontrol.windows.net");

        string enteredEmailDomain = UserNameTextbox.Text.Substring(UserNameTextbox.Text.IndexOf('@') + 1);

        IList<IdentityProviderDescriptor> idpdList = _authContext.GetProviders("http://littledeadbunny.com/NonInteractive");
        foreach (IdentityProviderDescriptor idpd in idpdList)
        {
            if (String.Compare(ServiceRealmDropDownList.SelectedValue, idpd.Name, StringComparison.OrdinalIgnoreCase) == 0)
            {
                Credential credential;
                credential = new UsernamePasswordCredential(enteredEmailDomain, UserNameTextbox.Text, PasswordTextbox.Text);

                _assertionCredential = _authContext.AcquireToken("http://littledeadbunny.com/NonInteractive", idpd, credential);

                return;
            }
        }

Using the code above, when I try to use the Windows Azure Active Directory User (admin), i get the error "Data at the root level is invalid. Line 1, position 1." where I attempt to acquiretoken.

When I use Google, I get an error "0x8010000C: No identity provider matches the requested protocol".

If there is a working sample? if I am doing something obviously wrong, I would appreciate the correction.

acs
asked on Stack Overflow Mar 5, 2013 by user2135771 • edited Mar 5, 2013 by AndreyAkinshin

2 Answers

1

This is not supported for passive identity providers. IdPs like Google, Facebook, etc. don't want other people collecting credentials for them, as this leads to security issues and possible phishing attacks. They also don't support it because they need to be able to show a permission dialog (that screen that asks the user if they want to release data to you) which they can't do without the browser redirecting to them. Furthermore, Google in particular supports two-factor auth, which you couldn't replicate, and generally collecting credentials opens up whole cans of worms around other UI problems such as incorrect or forgotten passwords.

This is also generally a bad user experience, because your users are fairly likely to already be logged in to Google and have cookies there. If so, and if they've already consented to your app, they would just be silently redirected back to you. In your scenario, even if the user is already logged in they'd still have to provide a username/password.

The correct way to do these sorts of logins is to render a browser control in your app that allows the user to log in at their IdP, which is what AAL helps with.

answered on Stack Overflow Mar 5, 2013 by Oren Melzer
0

I had the same error, executing a powerscript solved that error

PS C:\windows\system32> $replyUrl = New-MsolServicePrincipalAddresses -Address https://mydomain.accesscontrol.windows.net/

PS C:\windows\system32> New-MsolServicePrincipal -ServicePrincipalNames @("https://mydomain.accesscontrol.windows.net/") -DisplayName "MyDomain Namespace" -Addresses $replyUrl

But i'm stuck anyway with a 403 permission error

If you get any further i would like to know how :)

answered on Stack Overflow Apr 5, 2013 by rfcdejong

User contributions licensed under CC BY-SA 3.0