Windows Azure AppFabric Access Control Service (ACS) v2 has a feature called Error URL that allows a web site to display friendly message in case of error during the authentication/federation process. For example, during the authentication with Facebook or Google a user asked for consent after successful authentication. If the user denies ACS generates an error that could be presneted to a user in a friendly manner. Another case is when there is a mis-configuration at ACS level, for example, no rules generated for specific identity provider which results in error generated by ACS.

How to show friendly error message for these cases, branded with the look an feel as the rest of my website?

The solution is using Error URL feature available through ACS management portal. ACS generated JSON encoded error message and passes it to your error page. You need to specify the URL of the error page on ACS management portal so that ACS will know where to pass the information. Your error page should pars the JSON encoded error message and render appropriate HTML for the end user. Here is a sample JSON encoded error message:

{"context":null,"httpReturnCode":401,"identityProvider":"Google","timeStamp":"2010-12-17 21:01:36Z","traceId":"16bba464-03b9-48c6-a248-9d16747b1515","errors":[{"errorCode":"ACS30000","errorMessage":"There was an error processing an OpenID sign-in response."},{"errorCode":"ACS50019","errorMessage":"Sign-in was cancelled by the user."}]}

Summary of steps:

To process error messages from ACS complete these steps:

• Step 1 – Enable Error URL Feature
• Step 2 – Create Error Helper Classes
• Step 3 – Process JSON Encoded Error Message
• Step 4 – Configure Anonymous Access To The Error Page
• Step 5 – Test Your Work

Step 1 – Enable Error URL Feature

To enable Error URL feature for your relying party:

1. Login to http://portal.appfabriclabs.com.
2. On the My Projects page click on your project.
3. On the Project:<<YourProject>> page click on  Access Control link for desired namespace.
4. On the Access Control Settings: <<YourNamespace>> page click on Manage Access Control link.
5. On the Access Control Service page click on Relying Party Applications link.
6. On the Relying Party Applications page click on your relying party application.
7. On the Edit Relying Party application page notice Error URL field in Relying Party Application Details section.
8. Inter your error page URL. This is the page that will receive JSON URL encoded parameters that include the error details.

Step 2 – Create Error Helper Classes

This step helps creating Error helpers classes for deserializing JSON encoded error messages.

To create Error Helper Classes:

1. Add class file and give it a name, for example, Error.cs.
2. Implement the Error class as follows:

   public class Error
   {
       public string errorCode { get; set; }
       public string errorMessage { get; set; }
   }

3. Add another class file and give it a name, for example, ErrorDetails.cs.
4. Implement the ErrorDetials class as follows:

   public class ErrorDetails
   {
       public string context { get; set; }
       public int httpReturnCode { get; set; }
       public string identityProvider { get; set; }
       public Error[] errors { get; set; }
   }

5. These classes will be used in the next step when processing error messages from ACS.

Step 3 – Process JSON Encoded Error Message

To process JSON encoded error message generated by ACS:

1. Add an aspx web page to your ASP.NET application. And give it a name, for example, ErrorPage.aspx. It will serve as an error page that will process the JSON encoded error message sent from ACS.
2. Add the following labels controls to the ASP.NET markup:

   <asp:Label ID="lblIdntityProvider" runat="server"></asp:Label>
   

   <asp:Label ID="lblErrorMessage" runat="server"></asp:Label>
   

3. Switch to the page’s code behind file, ErrorPge.aspx.cs.
4. Add the following declaration to the top:

   using System.Web.Script.Serialization;

5. Add the following code to Page_Load method:

   JavaScriptSerializer serializer = new JavaScriptSerializer();
   ErrorDetails error = serializer.Deserialize<ErrorDetails>( 
                                        Request["ErrorDetails"] );
   lblIdntityProvider.Text = error.identityProvider;
   lblErrorMessage.Text = string.Format("Error Code {0}: {1}", 
                                        error.errors[0].errorCode, 
                                        error.errors[0].errorMessage);

6. The above code is responsible for processing JSON encoded error messages received from ACS. You might want to loop through the errors array as it might have additional more fine grained error information.

Step 4 – Configure Anonymous Access To The Error Page

To configure anonymous access to the error page:

1. Open web.config of your application and add the following entry: 

     <location path="ErrorPage.aspx">
       <system.web>
         <authorization>
           <allow users="*" />
         </authorization>
       </system.web>
     </location>
   

2. This will make sure you are not get into infinite redirection loop.

Step 5 – Test Your Work

To test Error URL feature:

1. Login to http://portal.appfabriclabs.com.
2. On the My Projects page click on your project.
3. On the Project:<<YourProject>> page click on  Access Control link for desired namespace.
4. On the Access Control Settings: <<YourNamespace>> page click on Manage Access Control link.
5. On the Access Control Service page click on Rule Groups link.
6. On the Rule Groups page click on the rule group related to your relying party.
7. WARNING: This step cannot be undone. If you are deleting generated rules they can be easily generated once more. On the Edit Rule Group page delete all rules. To delete all rules check all rules in the Rules section and click Delete Selected Rules link.
8. Click Save button.
9. Return to your web site and navigate to one of the pages using browser.
10. You should be redirected to your identity provider for authentication – Windows LiveID, Google, Facebook, Yahoo!, or ADFS 2.0 – whatever is configured for your relying party as identity provider.
11. After successful authentication your should be redirected back to ACS which should generate an error since no rules defined.
12. This error should be displayed on your error page that you created in step 2, similar to the following:

uri:WindowsLiveID
Error Code ACS50000: There was an error issuing a token.

Another way to test it is denying user consent. This is presented when you login using Facebook or Google.

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• ACS Error Codes
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Videos: Windows Azure Security Essentials For Decision Makers, Security Architecture, Access, and Secure Development
• Video: What’s Windows Azure AppFabric Access Control Service (ACS) v2?
• Video: What Windows Azure AppFabric Access Control Service (ACS) v2 Can Do For Me?
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites