This blog post assumes that the reader knows the basics of Identity Providers and Security Token Services. Its purpose is to illustrate how to programmatically add Google or Yahoo as an Identity Provider because there isn’t much information available on how to do this. For further information about using the ManagementServices proxy, I suggest downloading the Codeplex ACS Management examples from

We manage the Windows Azure AppFabric Access Control Service v2.0 through code using the ManagementService proxy and data types which are generated when we add a service reference to the ACS Metadata endpoint located at https://{yournamespace}, You can do this using either the Visual Studio “Add Service Reference” menu option, or manually using the svcutil.exe utility. There are examples of this in the code samples mentioned above.

To begin, we will use the management service proxy to retrieve a list of the IdentityProviders that have already been installed for the targeted namespace. By default, Windows Live ID will already be present and cannot be removed. The management service API requires that all requests be accompanied by a SWT token, which is also covered in the previously mentioned code samples.

To create a new IdentityProvider, we need to establish an Issuer for tokens coming from that Identity. To do this, we create a new instance of the “Issuer” type and initialize its Name property to “Google”. This “friendly name” will appear in the ACS Management portal UI. We can then add that type to the management Issuer’s collection and save our changes. This will generate a new Id for the Issuer. We can then create an instance of IdentityProvider. Set the DisplayName and Description to appropriate values for display in the ACS Management Portal. Set the WebSSOProtocolType to “OpenId” and the IssuerId to the Id property of the Issuer that we just created and saved.



       // ms is an instance of ManagementService proxy 

      Issuer issuer = new Issuer { Name = “Google” };




      // Create Identity Provider

      IdentityProvider identityProvider = new IdentityProvider {

            DisplayName = “Google” ,

            Description = “Google” ,

            WebSSOProtocolType = “OpenId”,

            IssuerId = issuer.Id


      ms.AddObject("IdentityProviders", identityProvider);



We need a means for the token requestor and consuming applications to verify the authenticity of tokens issued by the STS. The STS publishes the base64 encoded public key of the certificate that it will use to digitally sign its tokens in the metadata exchange document. We will set the appropriate IdentityProviderKey properties to the certificate values and then we’ll add the IdentityProviderKey object to our object graph and associate it with the IdentityProvider that will use it as shown in the following code:


       // *** Create the Identity Provider key used to validate

       // the signature of IDP-signed tokens. Signing certificates

       // can be found in a WSFederation IDP’s metadata.

       IdentityProviderKey identityProviderKey = new IdentityProviderKey {

              DisplayName = "GoogleIdentityProviderKeyDisplayName",

              Type = “X509Certificate”

              Usage = “Signing”,

              Value = Convert.FromBase64String("MIIB9DCCAWGgAwI…”),

              IdentityProvider = identityProvider,

              StartDate = DateTime.UtcNow,

              EndDate = DateTime.UtcNow.AddYears(1);,


       ms.AddRelatedObject(identityProvider, "IdentityProviderKeys", identityProviderKey);



Our new Google or Yahoo IdentityProvider will need to have an endpoint address associated with it. We can do this by creating an instance of the IdentityProviderAddress class and adding it to the entity data model then saving our changes. There are two properties on this class with values that are less than obvious (or even discoverable).  The Address property of the endpoint address instance must be set to and the EndpointType must be to “SignIn”.  For Yahoo, set the Address property to and the EndpointType to “SignIn”.


       IdentityProviderAddress googleRealm = new IdentityProviderAddress() {

              Address = "",

              EndpointType = “SignIn”,

              IdentityProvider = identityProvider,


       ms.AddRelatedObject(identityProvider, "IdentityProviderAddresses", googleRealm);




We now need to associate our new Google IdentityProvider with the relying party applications that will depend upon it. In our case, this is every RelyingParty defined (other than the AcessControlManagement) so we simply loop through them as the following code demonstrates:



// Make this IDP available to relaying parties

// (except for the Management RP)        

       foreach (RelyingParty rp in ms.RelyingParties) {

              // Skip the built-in management RP

              if (rp.Name != "AccessControlManagement") {

                     ms.AddToRelyingPartyIdentityProviders(new RelyingPartyIdentityProvider {

                           IdentityProviderId = identityProvider.Id,

                           RelyingPartyId = rp.Id








p style=”margin:0in 0in 10pt” class=”MsoNormal”>This should be enough to supplement your knowledge of using the Windows Azure AppFabric Labs v2.0 Access Control Service Management API to programmatically setup Google (or Yahoo) as an Identity Provider for your relying party applications.