In this article I will show you a step by step demonstration of enabling Federated Authentication on a Windows Azure Web Role using the Windows Azure App Fabric Access Control Service.
Imagine you are writing an application and want to make it open for users of all
the identity providers. You want users of Facebook, Live, Google; Yahoo etc.
should be able to use your application. Probably to achieve this task you will
have to implement authentication logic for all types of providers separately.
For instance there would be separate authentication logic for Facebook, separate
authentication logic for Google and so on.
You outsource this authentication task for separate identity provider to
Access Control Service. ACS does the task of authentication for your
application.
![fig1.gif]()
Image taken from MSDN
In this post, I am focusing on demonstrating step by step process to work
with Windows Azure ACS. In later post I will discuss more on theory of Claimed
Based Authentication
You need to work with Windows Azure Access Control Service.
Windows Identity Foundation SDK
Windows Identity
Foundation Run Time
Essentially you need to perform two tasks
- Configure Windows Azure ACS with Identity Provider, Relying Party, Rules
- Create Windows Azure Web Role and configure for Federated authentication
Configure Windows Azure ACS with Identity
Provider, Relying Party, Rules
First you need to login to Windows Azure Management portal. Navigate to
below link and provide yours live username and password
https://windows.azure.com/
After successful authentication, you need to
select Service Bus, Access Control & Caching tab from left panel.
![fig2.gif]()
Then choose Access Control from top
![fig3.gif]()
You need to have a Namespace. If you are already
having a namespace feel free to use that. I assume here you don't have any
namespace created then follow below screens to create namespace.
You need to click on New option at Top panel to create a new namespace.
![fig4.gif]()
On clicking of New, you will get Create a new
Service Namespace window. For purpose of this article, I am choosing Access
Control Service and providing other information in properties tab like
Namespace, Country and Subscription.
![fig5.gif]()
Once Namespace is created you can see that listed.
Select newly created Namespace and from top panel choose Access Control
Services.
![fig6.gif]()
Access Control Services will get opened in next tab.
There from the left panel select Identity Providers.
![fig7.gif]()
On click of Identity providers you can see Windows
Live ID is already added. Click on Add button to add another Identity Providers.
![fig8.gif]()
On click of Add Button you will get option to add
different identity providers. For purpose of this post I am adding Google and
Yahoo only.
![fig9.gif]()
I have chosen Yahoo. Next you will get prompted to
choose Image URL at login screen. This is optional. I have not given any Image
URL link here.
![fig10.gif]()
In same way you can add Google identity provider
as well. After adding all the identity providers you will be getting them listed
as below.
![fig11.gif]()
Next you
need to add Relying Party Application.
For that from the left panel click on Relying Part Application and then click on
Add button to add new Relying Part Application. You will get screen to Add
Relying Party Application. You need to provide all the information on this
screen.
![fig12.gif]()
You need to provide a friendly name for relying
party application. Feel free to give any name of your choice.
![fig13.gif]()
You need to select Mode. Choose Mode as Enter
setting manually
![fig14.gif]()
After selecting Mode, you need to provide Realm,
Return URL and Error URL.
We may have two scenarios here
- Running Azure Web Role in Locally in Azure Emulator
- Running Azure Web Role in Azure Portal
If you are running web role locally then set URL
as
http://127.0.0.1:81/
If you are running web role from Azure portal the
set URL as you chosen there. That might look like http://abcurname.cloudapp.net
For both Realm and Return give the same URL and if
you want you can leave optional error URL.
![fig15.gif]()
Leave Token Format, Token Encryption Policy and
Token Lifetime as default.
![fig16.gif]()
Next you need to select identity providers for
this relying party. Select all the identity providers we added previously.
![fig17.gif]()
Choose to create new rule group.
![fig18.gif]()
Select token signing as standard and click on save
button to add a relying party application.
Next step you need to create Rule Groups for
Relying party application. To create Rule Group click on Rule Groups from left
panel and select Add
![fig19.gif]()
Next enter name of Rule Group and click on Save
button
![fig20.gif]()
You will get an error message to generate rule.
Click on Generate button to create rule.
![fig21.gif]()
Next you will get prompted to provide identity
provider to generate rules. Select all listed identity provider and click on
Generate button.
![fig22.gif]()
On next screen you need to click on save button.
After saving in left panel click on Application integration from Development
tab. You need WS-Federation MetaData to configure authentication mechanism for
application.
![fig23.gif]()
Create Windows Azure Web Role and configure for
Federated authentication
Now you need to create Windows Azure project. To create open visual studio
as administrator and from cloud tab select Windows Azure Project.
![fig24.gif]()
Then choose ASP.Net Web Role as part of Windows
Azure project.
![fig25.gif]()
Here you can write all required code and business
logic of your application. Now to use ACS Federated authentication, right click
on web application project and select add STS Reference
![fig26.gif]()
Now you need to provide
- Application Configuration location: Leave default value
- Application URI: It would be same as Replying Party Application URI. In our case it is URI of Azure web role running in azure emulator
http://127.0.0.1:81/
![fig28.gif]()
On clicking of Next Button you will get a warning
message that application is not using HTTPS. In real application best practice
is to provide certificate and work with secure Http. Proceed with selecting
yes.
![fig29.gif]()
In Security Token Service check the check box Use
and existing STS and there you need to provide Meta Data document location. If
you remember in previous step you copied an WS-Federation MetaData URL by
clicking on Application integration from Development tab. You need to provide
location of XML file from different End Point references.
On next screen choose Disable certificate chain
validation.
![fig30.gif]()
On next screen select no encryption
![fig31.gif]()
On next screen leave the default values and click
on next.
![fig33.gif]()
Finally click on Finish to complete add process.
You should be getting Success message as below,
![fig34.gif]()
Last step you need to do is open Web.Config file
and edit the entry as below. You need to add below line in rectangle in
System.web.
![fig35.gif]()
Now go ahead and run application. You will get
prompted to Sign In. Choose any identity provider to log in to your application
![fig36.gif]()
I am choosing Google. I will be redirected to
Google Login page
![fig37.gif]()
After successful Sign in you will get redirected
to the application.
![fig38.gif]()
This is all you need to do to perform Federated
authentication on Windows Azure web role using Windows Azure App Fabric Access
Control Service. I hope this post is useful. Thanks for reading.
If you find my posts useful you may like to follow
me on twitter
http://twitter.com/debug_mode or may like Facebook page of my blog
http://www.facebook.com/DebugMode.Net If you want to see post on a particular
topic please do write on FB page or tweet me about that, I would love to help
you.