In this article we are going to experiment with the Access Control feature using a
Web Role. This article is a continuation of the Access Control feature in Azure
AppFabric.
You can refer tp the previous articles here:
Pre-Requisites
This article requires the following SDK and Runtime installations.
Now we are ready to proceed with creating the
following:
- New Namespace for Access Control Service
- New Identity Provider
- New Rule Group
We are performing the following activities in
this article:
- Create a Web Role
- Register the Web Role in Relying Party
Applications
- Get the path of WS-Federation Metadata
- Configure STS for the web role
- Test the Application
Create a Web Role
Create a new Azure Project and add a web role into it. Now run the application
and copy the url from the browser.
![WinAzr1.gif]()
It should be like: http://127.0.0.1:81/
Registering with the Relying Party Applications
Now we are ready with the url to register witht the Relying Party Applications.
For open the Access Control Service portal.
Select the Relying Party Applications item from the left pane. You will see the
following screen.
![WinAzr2.gif]()
Now click on the Add button to add the new relying party details.
![WinAzr3.gif]()
Application Name: Web Role Application
Realm: http://127.0.0.1:81/
Return Url: http://127.0.0.1:81/
Rule Groups: Check already created MyRuleGroup
You can leave the other options unchanged to default and click the Save button
which is visible at the bottom of the page.
Get the path of WS-Federation Metadata
The WS-Federation Metadata contains information about the relying party. It is a
well configured schema xml according to the WS-Federation standards. We can get
the url of our metadata xml file from the portal. (we can also specify the
content, but for our article the url is better)
Use the access control address (https://YourNameSpace.accesscontrol.windows.net)
to open and sign in to it. From the left side link under Development you can see
an Application Integration item.
![WinAzr4.gif]()
Click on it to open the screen and copy the XML path as highlighted. We will be
needing this path in the next step.
![WinAzr5.gif]()
Configure STS for the web role
Now we need to configure the Secured Token Service of our web role. Right click
on the web role project and click the option Add STS Reference. (Enabling this
option requires the Pre-Requisites)
![WinAzr6.gif]()
The following dialog will be appearing.
![WinAzr7.gif]()
In the first text box enter the web.config file path of the web role. In the
second text box enter the url to Defaul.aspx.
Click the Next button to continue and discard the appearing warning dialog by
clicking Yes button.
![WinAzr8.gif]()
In the next page of the wizard select the last option Use an Existing STS and
paste the WS-Federation Metadata url obtained from the previous step.
![WinAzr9.gif]()
After entering the xml path click the Next button to continue. Leave the default
options in the next three wizard pages and click the Finish button. You will get
the following message box.
![WinAzr10.gif]()
Now the wizard added the necessary pages, xml files and configuration items.
Still we need to add one tag in the web.config file.
Add the following tag into the web.config file inside the system.web tag.
<httpRuntime
requestValidationMode="2.0"/>
Make sure you are entering the tag in the outer system.web section. There will
be 2 system.web sections inside the configuration file.
Without this tag a cross site scripting error will be occurring while
authentication. Make sure you a
Test the Application
Now you are ready to test the application. Before testing we can have some
modification in the Default page to display the login information.
Add reference to the Microsoft.Identity.Model.dll from the Azure SDK folder (eg:
C:\Program Files\Windows Azure SDK\v1.5\bin\devfabric)
Open the Default.aspx in design mode and remove the existing text controls.
Place a label control and name it to InfoLabel. In the Page load event add the
following code. The code converts the Identity object of current user into
ClaimsIdentity. We can iterate through the claims items and display the type and
value as shown below.
protected
void
Page_Load(object
sender,
EventArgs
e)
{
InfoLabel.Text =
string.Empty;
if
(HttpContext.Current.User.Identity
!=
null)
{
ClaimsIdentity
identity = (ClaimsIdentity)HttpContext.Current.User.Identity;
foreach(Claim
claim
in
identity.Claims)
InfoLabel.Text += claim.ClaimType +
"=<b>"
+ claim.Value +
"</b><br>";
}
}
Now place a button on the page, name it as LogoutButton and add the following
code in the click event of it.
protected
void
LogoutButton_Click(object
sender,
EventArgs
e)
{
WSFederationAuthenticationModule
fam =
FederatedAuthentication.WSFederationAuthenticationModule;
try
{
FormsAuthentication.SignOut();
}
finally
{
fam.SignOut(true);
}
Response.Redirect("~/Default.aspx");
}
Now we are ready with the application testing. Press the F5 key for execution
and you will be getting the following screen.
![WinAzr11.gif]()
Click on the Google button to continue and you will be prompted with the login
page of Google.
On successful login we will be returned to the following page.
![WinAzr12.gif]()
Now the application is running fine with authentication. You can try clicking
the Logout button to delete the authentication cookies are return to the login
page on refresh.
Summary
In this article we have seen to integrate a web role with the identity provider
configured in the Access Control service. Our web role is getting prompted with
the identity providers automatically through the Access Control Service. We can
add or remove identity providers through the Access Control Service portal
without changing the application. The associated source code contains the web
role we discussed.
You can find more information on Web Application integration with Access Control
Service here.
More information about Claims Aware Application can be referred
here.