In this tutorial we are going to see how we can authenticate users who want to use our services against Windows Azure Active Directory (WAAD) through Access Control Services (ACS). This tutorial is going to narrate a step by step process, I personally suggest to implement all steps in order wise.
Windows Azure Active Directory (WAAD) is a modern, REST-based service that provides identity management and access control capabilities for your cloud applications. In simple words it is a service that is made available through Windows Azure so that you can manage your organization’s cloud directory where Microsoft is going to take care of AD’s scalability. Read more about WAAD – http://www.windowsazure.com/en-us/home/features/identity/
Access Control Service (ACS) is a Windows Azure service that provides an easy way of authenticating users who need to access your web applications and services without having to write complex authentication logic. Read more about ACS – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-control/
Step 1 –
Sign up for https://activedirectory.windowsazure.com/ (As of now it is free sign up and Microsoft is mentioning it is going to be a free product). By end of the registration, you will be having a domain with – mydomain.onmicrosoft.com.
Then create users in WAAD. Only Global Administrator can only be adding users. Similarly we can add groups and place users in respective groups.
IMP: Adding groups is out of scope for this tutorial.
Register for Windows Azure account and get Access Control Service (ACS) login. Create a ACS namespace too (as shown here). This namespace will be used to in later steps.
Step 2 –
First download sign in helper for WAAD – http://go.microsoft.com/fwlink/p/?linkid=236300
Then download PowerShell CmdLets through which we can provision a Service Principal – https://activedirectory.windowsazure.com/IdentityFederation/IdentityFederation.aspx
Step 3 –
Connect to WAAD using downloaded Powershell interface using following command –
Then enter your credentials as prompted.
In order to make up the trust between relying party and WAAD we need to first associate the Service Principal (which is ACS) to the WAAD, to do that we need to first import the Service Principals CmdLets using –
Import-Module MSOnlineExtended –Force
Step 4 –
Once the Service Principal CmdLets are installed, we need to register the ACS with present WAAD (As were are using Access Control Service (ACS) to authenticate out MVC application). We are going to register ACS to WAAD using following commands.
First create a New Service Principal Address –
$url = New-MsolServicePrincipalAddresses –Address “https://myAccessControlNamespace.accesscontrol.windows.net/”
In above command you need to replace myAccessControlNamespace with the actual one which you own. Then create new a Service Principal using the address which we created above.
New-MsolServicePrincipal –ServicePrincipalNames @<”https://myAccessControlNamespace.accesscontrol.windows.net/”> –DisplayName “ACSName” –Addresses $Url
In above command you need to replace myAccessControlNamespace with the actual one which you own.
Once you execute the above commands, a symmetric key will be generated along with registering the ACS with WAAD. Please take a note of all information generated for future use. Symmetric key is going to be extremely important for Graph API authentication against WAAD (but this topic is out of scope of present tutorial).
Step 5 –
Now add a new Identity Provider at ACS. First login to ACS (change to your namespace) – https://myAccessControlNamespave.accesscontrol.windows.net/v2/mgmt/web/IdentityProvider
Then click on Identity Providers. Click Add. Select WS-Federation Identity Provider. Enter Display name and Login Link Text (any proper name can be entered)
Enter following URL in the WS-Federation Metadata (Replace mydomain with your own domain back at WAAD) –
Step 6 –
To make MVC Web.config easier, there is a tool in Visual Studio Gallery – Identity and Access Tool – Download and install it at http://visualstudiogallery.msdn.microsoft.com/e21bf653-dfe1-4d81-b3d3-795cb104066e
Step 7 –
-> Create MVC application (Internet application) in Visual Studio 2012.
-> Right click on created project in Visual Studio –> go for “Identity And Access..”.
-> Configure ACS –> Enter your ACS namespace name and management key.
***To get Management Symmetric Key, Login to ACS portal –> Click on Management Service –> Click on Symmetric key.
-> Once configured then select the Identity Provider.
-> Click Save.
Step 8 –
Run your MVC application, it will redirect to WAAD Authentication page. Upon valid credentials you will be redirecting to MVC application.
In next set of tutorials, we will explore more about Graph API and Authorization topics. Stay tuned.