June 27 – 2011


I assume the reader understands the concept of Claims Authentication and related terms like STS, IP...


This post explains my understanding about Live ID authentication that you might want to integrate in your applications like Win Forms, SharePoint, CRM or a custom ASP.NET application.Live ID exposes different ways of authenticating against it. The primary ones being:

·         Using WS-Federation:

If you want to use WS-Federation, then you need to (1) Register your application with Live ID STS as trusted RP (use MSM https://msm.live.com/wizard/default.aspx ). This mechanism is also known by name Relying Party Suite. (2) Configure your application to start using Live ID: Live ID STS exposes its Federation Metadata which makes it easy for you to use FedUtil.exe in your application to establish this trust from RP to Live ID STS. the Federation metadata is found here: Metadata XML URL Seems easy. BUT the very first step of configuring your application as RP using MSM is not exposed to external customers. It is available only for Microsoft Partners. So as per my conclusion, even though Live ID supports WS-Federation, you won’t be able to use it “directly”. I will explain in next option why I have used the term “directly”. I am not sure why do we have this article published when we cannot actually use it publicly: http://technet.microsoft.com/en-us/library/ff973117.aspx

·         Using Azure ACS:

Microsoft Azure Access Control Service (ACS) is an cloud STS. It offers Live ID authentication as out of box identity provider. In order to use this path for Live ID authentication, you need to (1) Configure ACS to start trusting your application as trusted RP. (2) Add Live ID as Identity Provider in ACS (3) Configure your application to start trusting ACS as trusted STS. Both these steps are pretty easy to be followed with minimal coding. Here is one post that explains in step by step manner: http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_introtoacslabsv2_topic2.aspx
If this is so easy, then why doesn’t one always use it?

§  Cost: Azure ACS doesn’t come for free. You need to pay for it.

§  It adds an extra layer between your application and Live ID (a less agreed reason).

·         Using APIs offered by Microsoft:

So, isn’t there any free, publicly available way of directly working with Live ID authentication? Well, yes there is and you can do it via APIs that Microsoft offered. These set of APIs (previously known with different names) are clubbed under the common name called as “Messenger Connect”. Messenger connect can not only be used to authenticate users with Live ID but also access their information stored on Live ID Servers like pictures, contacts etc. Here are details on how to achieve it with an ASP.NET application: http://msdn.microsoft.com/en-us/library/ff748287.aspx

You can also develop a custom claims provider that uses Messenger Connect and configure it with AD FS 2.0 so that you don’t have to code it every time you plan to use Live ID authentication.

Rahul Gangwar