Google as an ACS Identity Provider
Updated: June 19, 2015
Applies To: Azure
Important
ACS namespaces can migrate their Google identity provider configurations from OpenID 2.0 to OpenID Connect. Migration must be completed before June 1, 2015. For detailed guidance, see Migrating ACS Namespaces to Google OpenID Connect.
Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) supports federation with Google as an identity provider using the OpenID 2.0 authentication protocol. Google is a preconfigured identity provider in ACS, so there are no prerequisites for adding Google as an identity provider in an Access Control namespace.
Configuring with the ACS Management Portal
You have to configure the following settings when you add Google as an identity provider using the ACS Management Portal:
Login link text—Specifies the text that is displayed for the Google identity provider on the login page of your web application. For more information, see Login Pages and Home Realm Discovery.
Image URL (optional)—Associates a URL with an image file (for example, a logo of your choice) that you can display as the login link for this identity provider. This logo automatically appears on the default login page for your ACS-aware web application, as well as in your web application’s JSON feed that you can use to render a custom login page. If you do not specify an image URL, then a text login link for this identity provider is displayed on the login page of your web application. If you specify an image URL, it is strongly recommended that it be pointed to a trusted source, for example, your own web site or application, using HTTPS to prevent browser security warnings. Also, any image that is larger than 240 pixels in width and 40 pixels in height is automatically resized on the default ACS home realm discovery page.
Relying party application—Specifies all existing relying party applications that you want to associate with the Google identity provider. For more information, see Relying Party Applications.
After an identity provider is associated with a relying party application, rules for that identity provider must be generated or added manually in a relying party application’s rule group to complete the configuration. For more information about creating rules, see Rule Groups and Rules.
Supported claim types
After a user authenticates with an identity provider, they receive a token populated with identity claims. Claims are pieces of information about the user, such as an email address or a unique ID. ACS can pass these claims directly through to the relying party application or make authorization decisions based on the values they contain.
By default, claims types in ACS are uniquely identified using a URI for compliance with the SAML token specification. These URIs are also used to identify claims in other token formats.
The following table shows the claim types that are available to ACS from Google.
| Claim Type | URI | Description |
|---|---|---|
Name Identifier |
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
A unique identifier for the user account, provided by Google. |
Name |
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
The display name for the user account, provided by Google. |
Email Address |
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
The email address for the user account, provided by Google. |
Identity Provider |
https://schemas.microsoft.com/accesscontrolservice/2010/07/claims/IdentityProvider |
A claim provided by ACS that tells the relying party application that the user authenticated using the default Google identity provider. The value of this claim is visible in the ACS Management Portal via the Realm field in the Edit Identity Provider page. |