Windows Azure - AppFabric Access Control Service Programming


In this article we are going to experiment with the Access Control feature using a Web Role. This article is a continuation of the Access Control feature in Azure AppFabric.

You can refer tp the previous articles here:

Pre-Requisites

This article requires the following SDK and Runtime installations.

Now we are ready to proceed with creating the following:

  • New Namespace for Access Control Service
  • New Identity Provider
  • New Rule Group

We are performing the following activities in this article:

  • Create a Web Role
  • Register the Web Role in Relying Party Applications
  • Get the path of WS-Federation Metadata
  • Configure STS for the web role
  • Test the Application

Create a Web Role

Create a new Azure Project and add a web role into it. Now run the application and copy the url from the browser.

WinAzr1.gif

It should be like: http://127.0.0.1:81/

Registering with the Relying Party Applications

Now we are ready with the url to register witht the Relying Party Applications. For open the Access Control Service portal.

Select the Relying Party Applications item from the left pane. You will see the following screen.

WinAzr2.gif

Now click on the Add button to add the new relying party details.

WinAzr3.gif

Application Name: Web Role Application
Realm: http://127.0.0.1:81/
Return Url: http://127.0.0.1:81/
Rule Groups: Check already created MyRuleGroup

You can leave the other options unchanged to default and click the Save button which is visible at the bottom of the page.

Get the path of WS-Federation Metadata

The WS-Federation Metadata contains information about the relying party. It is a well configured schema xml according to the WS-Federation standards. We can get the url of our metadata xml file from the portal. (we can also specify the content, but for our article the url is better)

Use the access control address (https://YourNameSpace.accesscontrol.windows.net) to open and sign in to it. From the left side link under Development you can see an Application Integration item.

WinAzr4.gif

Click on it to open the screen and copy the XML path as highlighted. We will be needing this path in the next step.

WinAzr5.gif

Configure STS for the web role

Now we need to configure the Secured Token Service of our web role. Right click on the web role project and click the option Add STS Reference. (Enabling this option requires the Pre-Requisites)

WinAzr6.gif

The following dialog will be appearing.

WinAzr7.gif

In the first text box enter the web.config file path of the web role. In the second text box enter the url to Defaul.aspx.

Click the Next button to continue and discard the appearing warning dialog by clicking Yes button.

WinAzr8.gif

In the next page of the wizard select the last option Use an Existing STS and paste the WS-Federation Metadata url obtained from the previous step.

WinAzr9.gif

After entering the xml path click the Next button to continue. Leave the default options in the next three wizard pages and click the Finish button. You will get the following message box.

WinAzr10.gif

Now the wizard added the necessary pages, xml files and configuration items. Still we need to add one tag in the web.config file.

Add the following tag into the web.config file inside the system.web tag.

<httpRuntime requestValidationMode="2.0"/>

Make sure you are entering the tag in the outer system.web section. There will be 2 system.web sections inside the configuration file.

Without this tag a cross site scripting error will be occurring while authentication. Make sure you a

Test the Application

Now you are ready to test the application. Before testing we can have some modification in the Default page to display the login information.

Add reference to the Microsoft.Identity.Model.dll from the Azure SDK folder (eg: C:\Program Files\Windows Azure SDK\v1.5\bin\devfabric)

Open the Default.aspx in design mode and remove the existing text controls. Place a label control and name it to InfoLabel. In the Page load event add the following code. The code converts the Identity object of current user into ClaimsIdentity. We can iterate through the claims items and display the type and value as shown below.

protected void Page_Load(object sender, EventArgs e)
{
    InfoLabel.Text =
string.Empty;

    if (HttpContext.Current.User.Identity != null)
    {
       
ClaimsIdentity identity = (ClaimsIdentity)HttpContext.Current.User.Identity;

        foreach(Claim claim in identity.Claims)
            InfoLabel.Text += claim.ClaimType +
"=<b>" + claim.Value + "</b><br>";
    }
}


Now place a button on the page, name it as LogoutButton and add the following code in the click event of it.

protected void LogoutButton_Click(object sender, EventArgs e)
{
   
WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;

    try
    {
       
FormsAuthentication.SignOut();
    }
   
finally
    {
        fam.SignOut(
true);
    }

    Response.Redirect("~/Default.aspx");
}


Now we are ready with the application testing. Press the F5 key for execution and you will be getting the following screen.

WinAzr11.gif

Click on the Google button to continue and you will be prompted with the login page of Google.

On successful login we will be returned to the following page.

WinAzr12.gif

Now the application is running fine with authentication. You can try clicking the Logout button to delete the authentication cookies are return to the login page on refresh.

Summary


In this article we have seen to integrate a web role with the identity provider configured in the Access Control service. Our web role is getting prompted with the identity providers automatically through the Access Control Service. We can add or remove identity providers through the Access Control Service portal without changing the application. The associated source code contains the web role we discussed.

You can find more information on Web Application integration with Access Control Service here.

More information about Claims Aware Application can be referred here.
 


Similar Articles