4

My relying party application uses Windows Azure ACS for user Authentication. I have ACS configured to use Windows Azure Active Directory (WAAD) as an identity provider. This is working for the most part and users can sign into my application using identities I have provisioned for them in WAAD. However, the problem I have is that if a user is signed into another Microsoft account, and in the same browser instance tries to sign into my application they get an ugly ACS error "ACS20012: The request is not a valid WS-Federation protocol message". For example, if I open Chrome and sign into the Windows Azure Management Portal using my Windows Live Id, and then open a new tab and try to sign into my custom app I will get that error. If I open a new browser or clear my cookies I can sign in just fine.

Shouldn't I be able to sign into both apps in the same browser instance?

Nathan
  • 1,016
  • 7
  • 16

1 Answers1

4

Nope.

This is to ask to be signed into two Google Accounts (or two Live ID, or whatever two accounts) in the same browser's instance (which actually might be possible using Chrome, but the general case is NO). This is simply impossible today.

It is however ugly to see that error message in the ACS site. Have you configured an ERROR URL for your relying party application in the ACS? Although this property is optional, I strongly advice customers to actually use it, and properly handle requests to it. I haven't tried your particular scenario, but I assume ACS will redirect the user to the Error Url, once you configure it, so you at least know what happens.

Please configure the Error Url for your Relying Party and let us know whether user will be redirected to your site. You shall be then able to generate some proper error message.

UPDATE

If you say this only happens when you are logged-in the Azure management portal, than this (my speculation!) is almost same as sign-in with WAAD. Since the GA of WAAD there had been some changes. If you follow the actual login flow with Fiddler, you will notice that when sign-in to management portal has a bit different flow, then sign-in to Hotmail for instance. If you sign-in to Hotmail, you are just redirected to login.live.com you login and head back to Hotmail.

Now if you inspect the traffic when navigating to manage.windowsazure.com you will notice that there is a first redirect to login.microsoftonline.com (this is WAAD handled!). Then there is redirect to login.live.com (this is for your Live ID account). My speculation here is that WAAD from login.microsoftonline.com federates Live ID (login.live.com) for authentication. That's why you are actually logged in with WAAD, and that's why your app fails.

Please perform the following experiment to confirm whether I am wrong or not:

  1. Delete all your browser's cookies
  2. Go to Hotmail and login with your Live ID account
  3. Now open new tab and open your custom application that federates WAAD via ACS

I suspect that now you will be able to login to your application.

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • I'm not sure the analogy of signing into multiple Google accounts at the same time in the same browser applies. First, I am not trying to sign in twice to the same STS, or at least not the same instance. My Azure ACS is myapp.accesscontrol.windows.net, and if the Windows Azure Management portal is using ACS (I don't know if they are or not), they are certainly on a different instance. Also the IdPs are not the same, one is a LiveId and one is WAAD. This still seems like it should work. What am I missing? – Nathan Apr 17 '13 at 19:16
  • I tried the Hotmail experiment, and it worked as you expected. I could sign into Hotmail (now Outlook.com), and then in another tab I can sign into my app. But if I sign into the Azure Management Portal and then try it I get the error. Thanks for your help. Also, thanks for the updated link on how to have multiple user accounts in Chrome, I didn't know about that feature and it looks useful. – Nathan Apr 17 '13 at 19:51
  • cool! :) And yet, please configure Error Url for your relying party app to prevent your users from seeing the ugly ACS error page if any other error happens. Btw, Error will also be generated if user `denies` access to your application via Social Login. The very first time you sign in to your application with [Google/FaceBook/Yahoo] the respective social login asks the user to give permission to your [namespace].accesscontrol.windows.net namespace. If user denies, then he will see the ACS error again. – astaykov Apr 17 '13 at 19:55
  • 1
    You can be logged in to multiple Google accounts at the same time. Google will ask which account you want to use. – Eugenio Pace Apr 18 '13 at 00:30
  • hmm, never tried that. But certainly you cannot be logged in to multiple WAAD accounts with the same browser instance ... – astaykov Apr 18 '13 at 04:51
  • @astaykov , about the ugly error. I actually do have the "Error URL" set for my relying party application in ACS. If I do something like try to sign in with my google account and reject the request I will get redirected to my applications error Url. However, in this case of multiple WAAD accounts it does not redirect me. I get an ugly error page from "https://login.windows.net/". – Nathan Apr 18 '13 at 22:23
  • Yes, not with WAAD. I have 3 Google Accounts and I switch between them regularly. Works great! Doing Id related stuff all day, I've learnt to love incognito and private browsing. I agree it could be confusing. – Eugenio Pace Apr 18 '13 at 23:09