DOCX

Use Access Control Service to Federate with Multiple Business

By Douglas Bennett,2014-08-11 22:12
11 views 0
Use Access Control Service to Federate with Multiple Business

Hands-On Lab

    Use Access Control Service to Federate with Multiple Business Identity Providers

Lab version: 1.0.0

Last updated: 8/11/2011

CONTENTS

    OVERVIEW ............................................................................................................................................. 3

    GETTING STARTED: CREATING A SERVICE NAMESPACE ................................................................ 6

    Task 1 Creating your AppFabric Service Namespace ...................................................................... 6

    EXERCISE 1: USE ACS TO FEDERATE WITH MULTIPLE BUSINESS IDENTITY PROVIDERS ........... 8

    Task 1 Creating the Initial Solution ................................................................................................ 8

    Task 2 Configure one entry for the application in the Access Control Service with the AppFabric

    portal............................................................................................................................................. 13

    Task 3 Configuring a Website to Accept Tokens from Access Control Service ............................... 18

    Task 4 Use the ACS Management Portal to Trust a Business Identity Provider and Process User

    Attributes via Claims Mapping Rules .............................................................................................. 23

    Task 5 Use the ACS Management API to Trust a Second Business Identity Provider and Create

    Claims Mapping Rules. ................................................................................................................... 37

    Exercise 1: Summary .......................................................................................................................... 55

    SUMMARY ............................................................................................................................................ 55

Overview

    Connecting one application to its users is one of the most basic requirements of any solution, whether deployed on-premises, in the cloud or on both.

    The emergence of standards is helping to break the silos which traditionally isolate accounts stored by different web sites and business entities, however offering application access to users coming from multiple sources can still be a daunting task. As of today, if you want to open your application to users coming from Facebook, Live ID, Google and business directories the brute-force approach demands you to lean and implement four different authentication protocols. Changes in today’s world happen fast and often, forcing you to keep updating your protocol implementations to chase the latest evolutions of the authentication mechanisms of the user repositories. All this can require a disproportionate amount of energy, leaving you with fewer resources to focus on your business.

Figure 1

    A functional view of the Access Control Service

    Enter the AppFabric Access Control Service (ACS). ACS offers you a way to outsource authentication and decouple your application from all the complexity of maintaining a direct relationship with all the identity providers you want to tap from. ACS takes care of engaging every identity provider with its own authentication protocol, normalizing the authentication results in a protocol supported by the .NET framework tooling (namely the Windows Identity Foundation technology, or WIF) regardless of from where the user is coming from. WIF allows you in just few clicks to elect the ACS as the authentication manager for your application; from that moment on ACS takes care of everything, including providing a UI for the user to choose among all the recognized identity providers.

    Furthermore, ACS offers you greater control over which user attributes should be assigned for every authentication event; again in synergy with WIF, those attributes (called claims) can be easily accessed for taking authorization decisions without forcing the developer do understand or even be aware of the lower level mechanisms that the authentication protocols entail.

    In this intermediate hands-on lab you will learn how to use the Access Control Service for managing trust relationships with multiple business identity providers. Users from two different organizations will be able to gain authenticated access to your application; however you will not be required to write any special code for handling the differences between the two. You will learn how to use ACS for establishing relationships and normalizing attributes without having to touch your application's source code. The lab will demonstrate how to configure ACS both via the AppFabric portal and the management API.

    Objectives

    In this Hands-On Lab, you will learn how to:

     Use the portal to add business identity providers through their metadata documents

     Use the portal to establish claims transformation rules for normalizing the user’s attributes

     Do all of the above via management API

     Outsource authentication of a web application to ACS

     Use ACS to handle the home realm discovery problem

    System Requirements

    You must have the following items to complete this lab:

     Microsoft? Windows? Vista SP2 (32-bits or 64-bits) , Microsoft? Windows Server 2008 SP2 (32-

    bit or 64-bit), Microsoft? Windows Server 2008 R2, or Microsoft? Windows? 7 RTM (32-bits or

    64-bits)

     IIS 7 (with ASP.NET)

     Microsoft? .NET Framework 4

Microsoft? Visual Studio 2010

     Microsoft? Windows Identity Foundation Runtime

     Microsoft? Windows Identity Foundation SDK for .NET 4.0

     Microsoft? Windows PowerShell

    Setup

    For convenience, much of the code used in this hands-on lab is available as Visual Studio code snippets.

    To check the prerequisites of the lab and install the code snippets:

    1. Open a Windows Explorer window and browse to the lab’s Source\Setup folder.

    2. Double-click the Dependencies.dep file in this folder to launch the Dependency Checker tool

    and install any missing prerequisites and the Visual Studio code snippets. 3. If the User Account Control dialog is shown, confirm the action to proceed.

    Note: This process may require elevation. The .dep extension is associated with the

    Dependency Checker tool during its installation. For additional information about the setup

    procedure and how to install the Dependency Checker tool, refer to the Setup.docx document

    in the Assets folder of the training kit.

    Note: If you have never run Visual Studio before on the machine, please make sure to do so

    before running the setup of this lab.

    Note: When you first start Visual Studio, you must select one of the predefined settings

    collections. Every predefined collection is designed to match a particular development style

    and determines window layouts, editor behavior, IntelliSense code snippets, and dialog box

    options. The procedures in this lab describe the actions necessary to accomplish a given task in

    Visual Studio when using the General Development Settings collection. If you choose a

    different settings collection for your development environment, there may be differences in

    these procedures that you need to take into account.

Using the Code Snippets

    Throughout the lab document, you will be instructed to insert code blocks. For your convenience, most of that code is provided as Visual Studio Code Snippets, which you can use from within Visual Studio 2010 to avoid having to add it manually.

    If you are not familiar with the Visual Studio Code Snippets, and want to learn how to use them, you can refer to the Setup.docx document in the Assets folder of the training kit, which contains a section

    describing how to use them.

    Exercises

    This Hands-On Lab contains one single exercise:

    1. Use Access Control Service to Federate with Multiple Business Identity Providers

    Note: Each exercise is accompanied by a starting solution. These solutions are missing some code sections that are completed through each exercise and therefore will not work if running them directly.

    Inside each exercise you will also find an end folder where you find the resulting solution you should

    obtain after completing the exercises. You can use this solution as a guide if you need additional help working through the exercises.

Estimated time to complete this lab: 30 minutes

    Getting Started: Creating a Service Namespace

    To follow this lab and complete all the exercises you first need to create an AppFabric Service Namespace. Once completed, it can be used for all of the AppFabric labs and for your own projects as well.

    Task 1 Creating your AppFabric Service Namespace

    1. Navigate to https://windows.azure.com/. You will be prompted for your Windows Live ID

    credentials if you are not already signed in.

    2. Go to Service Bus, Access Control & Caching, located under the navigation pane.

    3. Select the Access Control item on the Navigation pane.

4. Now you will add a new Access Control Service Namespace. An Access Control Service

    Namespace is the unique component of the addresses at which all your endpoints on the Access

    Control Service will be available. To do this, click the New Namespace button on the top left

    corner.

Figure 2

    Add Namespace

5. The portal displays a dialog. Type in a name for your Namespace, select a region, choose a

    Subscription and click the Create Namespace button. Make sure to validate the availability of the name first. Service names must be globally unique as they are in the cloud and accessible by whomever you decide to grant access.

Figure 3

    Creating New Access Control Service Namespace

    Please be patient while your service is activated. It can take a few minutes while all the

    necessary resources are provisioned.

    Figure 4

    Activating Service Namespace

    Figure 5

    Active Service Namespace

    Exercise 1: Use ACS to Federate with Multiple Business Identity Providers In this exercise you are going to outsource to ACS the authentication part of a newly created web site. You will configure ACS to delegate authentication to two different business identity providers, using both the portal and the management API. If you already went through the introductory hands-on lab, you will discover that the steps you need to follow are consistent with what you had to do for using web identity providers.

    In a real-life solution, the business identity providers would expose their authentication functions using Active Directory Federation Services 2 or similar packaged software offering an STS. In order to keep the system requirements simple for the lab, here you will be using a utility which runs on the local machine and simulates a proper identity provider. The steps you need to configure ACS are, however, absolutely the same as if you’d be using a real system.

    Note: You require an AppFabric Service Namespace to complete this exercise. If you have not already done so, complete the section Getting Started: Creating a Service Namespace.

Task 1 Creating the Initial Solution

    1. Open Microsoft Visual Studio 2010 with administrator privileges. From Start | All Programs |

    Microsoft Visual Studio 2010, right-click Microsoft Visual Studio 2010 and select Run as

    administrator.

    2. Open the WebSiteAdvancedACS.sln empty solution file located inside the Source\Ex01-

    ACSLabsV2Federation\Begin folder of this Lab.

    3. Create a new empty website. From File | Add | New Web Site, select Visual C# in the Installed

    Templates section and then click ASP.NET Web Site. Change the Web location field to use HTTP

    and set the value to https://localhost/WebSiteAdvancedACS.

    Figure 6

    Add New Web Site

4. In the Solution Explorer delete the following folders from the web site:

    ? Account

    ? Scripts

    And the following files:

    ? About.aspx

    ? Global.asax

Figure 7

    Solution Explorer

    5. Open the Site.master file and remove the DIV element with class named “loginDisplay” and the

    NavigationMenu menu control.

    ASP.NET

    <div class="page">

     <div class="header">

     <div class="title">

     <h1>

     My ASP.NET Application

     </h1>

     </div>

     <div class="loginDisplay">

     <asp:LoginView ID="HeadLoginView" runat="server" EnableViewState="false">

     <AnonymousTemplate>

     [ <a href="~/Account/Login.aspx" ID="HeadLoginStatus" runat="server">Log In</a> ]

     </AnonymousTemplate>

     <LoggedInTemplate>

     Welcome <span class="bold"><asp:LoginName ID="HeadLoginName" runat="server" /></span>!

     [ <asp:LoginStatus ID="HeadLoginStatus" runat="server" LogoutAction="Redirect" LogoutText="Log Out" LogoutPageUrl="~/"/> ]

     </LoggedInTemplate>

     </asp:LoginView>

     </div>

     <div class="clear hideSkiplink">

     <asp:Menu ID="NavigationMenu" runat="server" CssClass="menu" EnableViewState="false" IncludeStyleBlock="false" Orientation="Horizontal">

     <Items>

     <asp:MenuItem NavigateUrl="~/Default.aspx" Text="Home"/>

     <asp:MenuItem NavigateUrl="~/About.aspx" Text="About"/>

     </Items>

     </asp:Menu>

     </div>

    </div>

Report this document

For any questions or suggestions please email
cust-service@docsford.com