Configuring Windows Azure Access Control Service

When implementing an application I think it is nice if you can focus your development solving the problems the application should solve and almost nothing else. Most of the time authentication isn't really part of what your application should solve so if you can let someone else handling that part for you, and it would be really great if it were someone you trust.

Configuring Windows Azure Control Service, also known as Windows Azure Active Directory Control or ACS as I will call it through out this post, is not that hard to do as long as you know how to do it. However, a lot of the documentation out there is outdated (things move fast in this space) so I thought I would write this... which will most likely be outdated in a couple of days or so :). The walkthrough will be made using the latest version of .NET, that is, .NET 4.5 as of the moment.

How it works

When you authenticate against an application that uses Azure ACS it is some kind of table tennis game that goes on behind the curtains to identify you. This is a good thing because all you need to have in mind as a developer is the Security Token Service or STS. The STS in our case is Acure ACS and it is then responsible for coordinating everything with the other STS out there as google and microsoft live.

The table tennis going is illustrated below:
ACS authentication flow

  1. The client to access some kind of resource from the application, also often mentioned as a Relying Party (RP).
  2. The application answer with a not authorize request and the clients is redirected to the access control site.
  3. At the access control site the client are presented with some different options that can be used to authenticate, as google or Microsoft Live for example.
  4. The client choose one of the identity providers and are redirected to the site where it authenticate authenticate.
  5. The client gets a token from the identity provider identifying the client.
  6. The client presents the token to the ACS and the ACS gives another token that should be used to authenticate the client.
  7. The client shows the token to the application and the authentication process is done.

There are some trust that has to be established for this to work. First the application have to trust the access control and the access control has to trust the identity providers. In azure you can configure the urls of the application, that is, establishing the trust between the application and acs. You can also define which identity providers to use, that is you define that you trust them.

Configuring azure

  1. Create the access control namespace
    Create namespace

  2. Choose your namespace and click "manage", this will take you to the management portal for access control
    Go to navigate

  3. Choose the identity providers you want to support
    enter image description here

  4. Add the relying party, which is basically which url you want to connect to the access control. Enter data in the Realm and Return URL
    Relying party configuration

  5. Click to edit the rule group that was created for your relying party and click generate to enter image description here

  6. The following three images shows you how to get to the management key which you will need later
    Management service
    Management service symmetric key
    Management service getting the key

That's all you need to do in azure. Copy or write down the key that you located in the last step so you can use it later.

Configuring your application

Before starting Visual Studio install the Identity and Access Tool which will give you some help configuring your application to use the Azure ACS. To demonstrate how it works I will guide you through how to require authentication and list the claims received from the authentication.

  1. Create an empty web application.

  2. Add a reference to System.IdentityModel.Services, which you will have if are running .Net 4.5.

  3. Right click on the web project and click the Identity and Access... option which is now available since you installed the Identity and Access Tool.
    Identity and Access option

  4. Check the "Use the Windows Azure Access Control Service" and click "(Configure...)"
    Configure Access Control

  5. In the "Configure ACS namespace" enter the name of your acs namespace, which you created in the first step configuring Azure, and enter the management key you retrieved in the last step in the field for the key.
    Configure ACS namespace

  6. In the system.web section in the web.config add the following

After the steps above you have an updated web.config that enables you to use the ACS to authenticate but the application is still empty so we will implement a simple application that list all the claims retrieved when you have authenticated against Azure ACS in two simple steps:

  1. So first add a HomeController with the following simple Index method:

    public class HomeController : Controller
    public ActionResult Index()
    return View();

  2. Add the Index view:

    @using System.Security.Claims
    @using System.Threading
        var claimsIdentity = Thread.CurrentPrincipal.Identity as ClaimsIdentity;
    <h2>Amazing claims:</h2>
    @foreach (var claim in claimsIdentity.Claims)
            <span class="key">Type: @claim.Type</span>, 
            <span class="value">Value: @claim.Value</span>

Now hit F5 and hopefully you will be presented a view telling you to authenticate with google or Microsoft Live. After you have authenticated all the claims retreived are listed on the page.

Getting the application to run on Azure

There are three things you need to do to get the application:

  1. Add a relying party for your application.

  2. Add the following web.config transform to change the realm:

                <add value="http://yourapp/" xdt:Transform="Replace"/>
            <wsFederation realm="http://yourapp/" xdt:Transform="SetAttributes(realm)" />
  3. Create a Windows Azure Clour Service project and deploy your application.

That was all for now and hope the description is correct.