Access Control Service – Why not to rely on the nameidentifier claim
March 10, 2012 11 Comments
Over the past week, while preparing http://www.goeleven.com/ for a migration to our production account on windows azure, I learned an important lesson that I would like to share with you, so that you don’t have to make the same mistake as I did.
The web front end, outsources authentication to various identity providers using the windows azure access control service. All of these identity providers provide a common claim that can be used to authenticate the user, being the nameidentifier claim. The value of the name identifier is unique for every user and each application. But in the scenario where there is a man in the middle, such as the access control service, this means that the value of the nameidentifier is actually unique per user per access control instance (as that is considered the application by the identity provider).
This prevents you from doing a certain number of operations with your access control service namespace as the value of the nameidentifier changes when you switch access control service instance, aka you loose your customers.
Things you can no longer provide are:
- Migration of your namespace
- Disaster recovery
- High availability
- Geographic proximity for travelling users
Therefore it’s better to correlate the user’s information with an identity on another claim, email address for example, which remains stable across different access control service instances.
The live id provider, does however not provide any additional information besides the nameidentifier, so I’m sad to report that I will have to stop supporting it!
And to make matters worse, I did not save any of the other claims. so now I have to go beg all of my users to help me upgrade their account😦
So if you are a user of http://www.goeleven.com/ , please help me update your account:
- For LiveId users: Login with your account, navigate to profile > identities and associate any of the other providers.
- For Non LiveId users: Just login with your account, this will automatically fix your identity.
Thanks in advance…