How do I add claims to an ACS Service Identity

Question

I'm not even sure that this is possible but I am not able to find a clear answer in any kbs, help or documentation.

I have a WebAPI which is secured via ACS. An application uses a service identity to authenticate via ACS with my WebAPI to allow access. What I would like to do is have claims presented for the service identity to identify the individual identities. i.e. Service Identity A presents a type and id for example and Service Identity B presents different values for the same claim types, and then my WebAPI can authorize particular calls based on the claim values.

Currently I have this implemented via a Rule Group using Output Claims with Claim Values set via the ACS Portal however the rule group is applied to all service identities accessing the relying application (My WebAPI), what I need is to have the service identities each having differing claim values.

As all communication is service to service I planned on using ACS and not another Identity Provider such as Live/Microsoft Account or Google. However at present the only conclusion I can come to is implementing my own custom STS to provide the Claims Values.

I hope I've explained my scenario clearly can anyone help at all, how do I set claim values for individual Service Identities or should I be doing this a different way?

Thanks

Andrew

Answer 1

I managed to resolve this just before I left the office for the Christmas/New Year break and wanted to note how I resolved the issue for anyone else who might find it useful.

I stepped back from the problem and came back to it with a fresh view. As my application authenticates based on service identity and the authentication is between a service calling my service(s) there will not be a large number of service identities to authenticate against. Therefore for my requirements I am able to utilise rule groups to provide claims based on a supplied claim.

All of my Windows Azure Access Control Service Identities present a nameidentifier claim (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name identifier) and so for each new Service Identity I have created a new Rule Group in the ACS Portal:

Once this new Rule Group is created I chose to add a Rule as below. I have selected that the InputClaim Issuer is the Access Control Service as the ACS is supplying the token to authenticate with my service. Next a select the input claim type I am expecting to receive and which I am checking for in my If statement. Therefore in the example below, if the nameidentifier claim provided has a value of StackOverflow (The name of the Service Identity I am expecting) then I wish to return the Country output claim with a value of UK with the token returned by ACS. I have also added additional rules to add further output claims where equired. This allowed me to return the correct claims and values for the corresponding service identities.

Finally I went to my list of Relying Party Applications and selected my relying party application (my service) and selected the new Rule Group I had created.

This approach has resolved my issue and has enabled me to now read the claims from the token provided to my rest service and make decisions based on the values provided. I'd started out looking for a much more complicated approach and found when I stepped back and looked at the requirement clearly I was able to achieve my requirement with core ACS functionality. Hope this helps someone else with similar requirements.

Answer 2

IIRC the appplication creates its own tokens and signs them with the cert/symm key - the claims in that token then become inputs in the rules engine...

..but it's been a while ;)