1

I am successfully using ACS to login to a web application using Windows Live, Facebook and Google.

Google includes the service namespace in the confirmation message, as below:

(myservicenamespace).accesscontrol.windows.net is asking for some information from your Google Account. To see and approve the request, sign in.

This is correct behaviour, I suppose, because as a user you want to know what is asking for the claim. Windows Live doesn't show anything, and Facebook uses the application name that was set up.

Obviously for users it can be confusing seeing the Google rigour. You come from mydomain.com, and are approving myfunnynamespace.accesscontrol.windows.net.

Is there any way to pass information to Google that will make more sense to the user? I get that you can't change the URL, which Google is looking for. But can ACS pass additional info, such as an application name, or can an 'app' be created like with Facebook?

SliverNinja - MSFT
  • 31,051
  • 11
  • 110
  • 173
Simon Munro
  • 5,399
  • 6
  • 33
  • 40
  • Can you add a DNS **CNAME** that points to `myfunnynamespace.accesscontrol.windows.net`? `myfriendlyname.mydomain.com` → `myfunnynamespace.accesscontrol.windows.net` – SliverNinja - MSFT May 16 '13 at 19:24
  • I thought of that, but am not sure that it would work. Besides it would have to be https, and certificates may be an issue – Simon Munro May 16 '13 at 19:29
  • 1
    I guess [this is a feature request](http://www.mygreatwindowsazureidea.com/forums/34192-windows-azure-feature-voting/suggestions/3648112-custom-domain-in-acs) - the [CNAME route doesn't yet exist](http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/60fb6922-2b68-4437-9ae4-79743f34ebd9/) like it does for [other Azure features](http://www.windowsazure.com/en-us/develop/net/common-tasks/custom-dns/). – SliverNinja - MSFT May 16 '13 at 20:25
  • Good find in the forums. So I guess the answer is 'No'. Pity – Simon Munro May 17 '13 at 06:06

1 Answers1

0

No,

You cannot have "friendly" name for a federation provider. It is not just Azure Access control Service. The main reason is Security and how protocol works. Currently there is no Federation provider (Azure or non-Azure, and there a bunch of non-Azure federation providers) that would provide a "friendly" name. And you certainly cannot use CNAME against your ACS namespace. It will simply fail.

The only way to have a "friendly" named Federation provider is to build it on your own. If you go for your own I highly recommend using Identity Server instead of building it from scretch.

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • This is correct. The inability to do this is a security feature. Live doesn't have this issue because ACS doesn't release personally identifiable information via Live, and Facebook has a different consent model. – Oren Melzer May 22 '13 at 20:38