Windows Azure - AppFabric Access Control Service Programming
In this article we are going to experiment the Access Control feature
using a Web Role. This article is a continuation of the Access Control
feature in Azure AppFabric.
You can refer the previous articles here: Pre-Requisites
This article requires the following SDK and Runtime installations.
Now we are ready to proceed with creating the following:
- New Namespace for Access Control Service
- New Identity Provider
- New Rule Group
We are performing the following activities in this article:
Create a Web Role
- Create a Web Role
- Register the Web Role in Relying Party Applications
- Get the path of WS-Federation Metadata
- Configure STS for the web role
- Test the Application
Create a new Azure Project and add a web role into it. Now run the application and copy the url from the browser.
It should be like: http://127.0.0.1:81/ Registering with the Relying Party Applications
Now we are ready with the url to register witht the Relying Party Applications. For open the Access Control Service portal.
Select the Relying Party Applications item from the left pane. You will see the following screen.
Now click on the Add
button to add the new relying party details. Application Name:
Web Role Application Realm:
http://127.0.0.1:81/ Return Url:
http://127.0.0.1:81/ Rule Groups:
Check already created MyRuleGroup
You can leave the other options unchanged to default and click the Save
button which is visible at the bottom of the page. Get the path of WS-Federation Metadata
The WS-Federation Metadata contains information about the relying
party. It is a well configured schema xml according to the
WS-Federation standards. We can get the url of our metadata xml file
from the portal. (we can also specify the content, but for our article the url is better)
Use the access control address
(https://YourNameSpace.accesscontrol.windows.net) to open and sign in to
it. From the left side link under Development you can see an Application Integration
Click on it to open the screen and copy the XML path as highlighted. We will be needing this path in the next step. Configure STS for the web role
Now we need to configure the Secured Token Service of our web role. Right click on the web role project and click the option Add STS Reference. (Enabling this option requires the Pre-Requisites)
The following dialog will be appearing.
In the first text box enter the web.config file path of the web role. In the second text box enter the url to Defaul.aspx.
Click the Next
button to continue and discard the appearing warning dialog by clicking Yes button.
In the next page of the wizard select the last option Use an Existing STS
and paste the WS-Federation Metadata url obtained from the previous step.
After entering the xml path click the Next
button to continue. Leave the default options in the next three wizard pages and click the Finish
button. You will get the following message box.
Now the wizard added the necessary pages, xml files and configuration
items. Still we need to add one tag in the web.config file.
Add the following tag into the web.config file inside the system.web tag. <httpRuntime requestValidationMode="2.0"/>
Make sure you are entering the tag in the outer system.web section.
There will be 2 system.web sections inside the configuration file.
Without this tag a cross site scripting error will be occurring while authentication. Make sure you a Test the Application
Now you are ready to test the application. Before testing we can have
some modification in the Default page to display the login information.
Add reference to the Microsoft.Identity.Model.dll
from the Azure SDK folder (eg: C:\Program Files\Windows Azure SDK\v1.5\bin\devfabric)
Open the Default.aspx in design mode and remove the existing text
controls. Place a label control and name it to InfoLabel. In the Page
load event add the following code. The code converts the Identity
object of current user into ClaimsIdentity. We can iterate through the
claims items and display the type and value as shown below.
protected void Page_Load(object sender, EventArgs e)
InfoLabel.Text = string.Empty;
if (HttpContext.Current.User.Identity != null)
ClaimsIdentity identity = (ClaimsIdentity)HttpContext.Current.User.Identity;
foreach(Claim claim in identity.Claims)
InfoLabel.Text += claim.ClaimType + "=<b>" + claim.Value + "</b><br>";
Now place a button on the page, name it as LogoutButton and add the following code in the click event of it.
protected void LogoutButton_Click(object sender, EventArgs e)
WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;
Now we are ready with the application testing. Press the F5 key for execution and you will be getting the following screen.
Click on the Google button to continue and you will be prompted with the login page of Google.
On successful login we will be returned to the following page.
Now the application is running fine with authentication. You can try
clicking the Logout button to delete the authentication cookies are
return to the login page on refresh.
In this article we have seen to integrate a web role with the identity
provider configured in the Access Control service. Our web role is
getting prompted with the identity providers automatically through the
Access Control Service. We can add or remove identity providers through
the Access Control Service portal without changing the application.
The associated source code contains the web role we discussed.
You can find more information on Web Application integration with Access Control Service here.
More information about Claims Aware Application can be referred here.