![\"image\"](\"http:\/\/cloudidentity.com\/blog\/wp-content\/uploads\/2011\/05\/3513.image_5F00_5A0D9415.png\" "\\"image\\"")
<\/a><\/p>\nSome of you may also know that ACS integrates with Yahoo! and Google using OpenID, however from your point of view that doesn\u2019t matter much: the details are abstracted away by ACS.<\/p>\n
A less-known factlet is that ACS also supports integration with other OpenId providers: however that capability is not exposed via portal, you can only set it up via management APIs. We do have a tutorial which shows you how to do that step by step using myOpenID<\/a>, you can find it here<\/a>. <\/p>\n It\u2019s not hard, that\u2019s just OData after all, but it is still 6 printed pages<\/em>. Now, how would you feel if I\u2019d tell you that if you use the ACS cmdlets<\/a> you can do exactly the same in ONE line of PowerShell code<\/u><\/em><\/strong>? Mind == blown, right? Here we go: <\/p>\n PS C:UsersvittorioDesktop> Add-IdentityProvider<\/strong> \u2013Namespace \u201cmyacsnamespace\u201d \u2013ManagementKey \u201cXXXXXXXX\u201d -Type "Manual" -Name "myOpenID" -Protocol OpenId \u2013SignInAddress \u201c<\/font>http:\/\/www.myopenid.com\/server<\/font><\/a>\u201d<\/p>\n<\/blockquote>\n That\u2019s it! With the \u2013Manual switch I can explicitly create any IP type. In order to maintain my boast that one line of code is enough, I used the inlined syntax for passing the namespace and the management key directly. In the announcement post<\/a> I first obtained a management token with Get-AcsManagementToken<\/font><\/strong>, assigned it to a variable and passed it along for all subsequent commands, which is more appropriate for longer scripts (hence from now on I\u2019ll use it instead).<\/p>\n That did the equivalent of the tutorial: however, that\u2019 not enough to use myOpenID with the application yet. We still need to create rules that will add some claims or ACS won\u2019t even send a token back. Luckily, that\u2019s just another line of PowerShell code:<\/p>\n PS C:UsersvittorioDesktop> Add-Rule<\/strong><\/font> -MgmtToken $mgmtToken -GroupName "Default Rule Group for myRP" -IdentityProviderName "myOpenID"<\/font><\/p>\n<\/blockquote>\n Here I didn\u2019t specify any input or output claim, which substantially ends up in a pass-through rule. NOW we\u2019re ready! Let\u2019s see what happens if I hit F5 on a plain vanilla Windows Azure webrole project where I added the SecurityTokenDisplayControl (you can find the VS2010 version in the identity training kit<\/a> labs about ACS).<\/p>\n Oh hello myOpenID option! I\u2019s there, good sign. Let\u2019s hit it.<\/p>\n As expected, we end up on the auth page of openID. Once successfully authenticated, we get to the consent page:<\/p>\n Note that the consent does not mention any attributes, this fact will become relevant in a moment. Let\u2019s click continue and\u2026<\/p>\n congratulations! You just added an arbitrary OpenID provider, and all it took was just 2 lines of PowerShell (without even touching your application or opening the ACS management portal).<\/p>\n Now, you may notice one thing about this transaction: we got an awfully low amount of information about the user, just the OpenID handle in fact. I am not very deep in OpenID, I\u2019ll readily admit. Luckily Oren, Chao and Andrew from the ACS team came to the rescue (thank you guys) and explained that ACS gets claims in OpenID via Attribute Exchange, which myOpenID does not support (they use Simple Registration<\/a>).<\/p>\n Bummer! I really wanted to show passing name and email. Luckily adding another OpenID provider which supports AX is just a matter of hitting the up arrow a couple of times in the PowerShell ISE and change the name and signin address accordingly. In the end I settled with http:\/\/hyves.net<\/a>, since I was just recently in the Netherlands<\/a> Add-IdentityProvider<\/strong> -MgmtToken $mgmtToken -Type "Manual" -Name "hyves.net OpenID" -Protocol OpenId -SignInAddress <\/font>https:\/\/openid.hyves-api.nl\/<\/font><\/a><\/p>\n Add-Rule<\/strong> -MgmtToken $mgmtToken -GroupName "Default Rule Group for myRP" -IdentityProviderName "hyves.net OpenID"<\/font><\/p>\n<\/blockquote>\n Another F5\u2026<\/p>\n \u2026and the new option for hyves.net shows up. Good! Let\u2019s hit it.<\/p>\n We get to their auth page. Let\u2019s log in, we\u2019ll get to the consent page.<\/p>\n Now this looks more promising. Hyves.net asks permission to share the email address with the ACS endpoint, as expected. Let\u2019s grant it and see what happens.<\/p>\n <\/p>\n\n
\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/p>\n\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n