Share via


Windows Azure Web Role WCF Service Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 2

Programming Windows Azure - Programming the Microsoft Cloud

This is a continuation to Windows Azure Web Role WCF Service Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 1.

Step 2 – Create and configure WCF Service as relying party in ACS v2 Management Portal

The content in this step is adapted from How To: Authenticate with Username and Password to the WCF Service Protected by Windows Azure AppFabric Access Control Service Version 2.0.

In the next procedures you will create create and configure a relying party using the ACSv2.0 management portal. A relying party application is the WCF services that you want to use to implement the federated authentication for using the ACS.

To create and a configure a relying party

  1. Navigate to https://portal.appfabriclabs.com and authenticate using Live ID.
  2. Click on Service Buss, Access Control & Caching tab.
  3. Click on Access Control node in the treeview under the AppFabric root node. List of your namespaces should appear.
  4. Select your namespace by clicking on it and then click on Access Control Service ribbon. New browser tab should open an Access Control Service page.
  5. Click the Relying Party Applications link in the Trust Relationships section.
  6. On the Relying Party Applications page, click the Add link.
  7. On the Add Relying Party Application page specify the following information:

In the Relying Party Application Settings section:

  • Name—Specify the display name for this relying party. For example, Windows Azure Username Binding Sample RP.
  • Mode—Choose the Enter settings manually option.
  • Realm—Specify the realm of your WCF service. For example, https://localhost:7000/Service/Default.aspx.
  • Return URL—Leave blank.
  • Error URL—Leave blank.
  • Token format—Choose the SAML 2.0 option.
  • Token encryption policy—Choose the Require encryption option.
  • Token lifetime (secs) —Leave the default of 600 seconds.

In the Authentication Settings section:

  • Identity providers—Leave all unchecked.
  • Rule groups—Check the Create New Rule Group option.

In the Token Signing Options section:

  • Token signing—Choose the Use a dedicated certificate option.
  • Certificate:
    • File—Browse for an X.509 certificate with a private key (.pfx file) to use for signing.
    • Password—Enter the password for the .pfx file in the field above.

In the Token Encryption section:

  • Certificate:
    • File—Browse to load the X.509 certificate (.cer file) for the token encryption for this relying party application. It should be the certificate without private key, the one that will be used for SSL protection of your WCF service.
  1. Click Save.
  2. Saving your work also triggers creating a rule group. Now you need to generate rules for the rule group.

To generate rules in the rule group

  1. Click the Rule Groups link.
  2. On the Rule Groups page, click the Default Rule Group for Windows Azure Username Binding Sample RP rule group.
  3. On the Edit Rule Group page, click the Add link at the bottom.
  4. On the Add Claim Rule page, in the If section, choose the Access Control Service option. Leave the default values for the rest of the options.
  5. Click Save.

In the next procedures you will create and configure the service identity to respond to a token request based on a username and password.

To configure the service identity for using username and password credentials

  1. Navigate to https://portal.appfabriclabs.com and authenticate using Live ID.
  2. Click on Service Buss, Access Control & Caching tab.
  3. Click on Access Control node in the treeview under the AppFabric root node. List of your namespaces should appear.
  4. Select your namespace by clicking on it and then click on Access Control Service ribbon. New browser tab should open an Access Control Service page.
  5. Click the Service Identities link in the Service Settings section.
  6. On the Service Identities page, click the Add link.
  7. On the Add Service Identity page provide a Name. You will use it as a username for your username and password pair when requesting a token.
  8. Optionally, add a description in the Description section.
  9. Click Save. The page title should change to Edit Service Identity.
  10. Click the Add link in the Credentials section. You should be redirected to the Add Credentials page.
  11. On the Add Credentials page, provide the following information:
    1. Type—Choose Password from drop-down list.
    2. Password—Enter your desired password. You will use it as a password for your username and password pair when requesting a token.
    3. Effective date—Enter the effective date for this credential.
    4. Expiration date—Enter the expiration date for this credential.
    5. Click Save.