Here there’s the last episode of the “how-to” series on the ACS Extensions for Umbraco, released (among a ton of other things) at the new ACS’ launch last week.
The feature described here is my favorite: the power of accepting users without having to provision them is one of the most powerful capabilities unlocked by claims-based identity. Making this work on the existing membership-oriented architecture natively supported in Umbraco was an interesting challenge, which IMO deserves to be studied further as it represents a pattern you can apply in many similar situations. Well, in a short I’ll have a long flight to write about it but for now, enjoy the how-to below!
'Click here for a video walkthrough of this tutorial'
The ACS Extension’s social members integration with the Umbraco member system is, all things considered, pretty simple. It is mostly about single sign on and outsourcing authentication to the supported social providers, which makes things much more convenient for you and your users: but in the end, it is still about provisioning and assigning roles to individual members.
Now, consider for a moment what you could do if the identity provider could tell you more about your members than the simple email address. If for example you’d accept as web site members employees from one business, the identity provider could tell you things like the job they do in their organization, their phone number, the zip code of their office and many other attributes.
One possible use of that information could be to establish authorization policies; for example, you may decide that all members working in Sales for the company X should be assigned to the Power Members role in your Umbraco web site. Being able to express such policies would mean that you would no longer have to manage access control member by member: you’d be able to manage access to all the members coming from a given provider without the need to provision members one by one.
This section will show you how with the ACS Extensions you can achieve exactly that – and very easily -with your Umbraco web site.
The user accounts of business organizations are commonly handled via directory technologies and products, such as Active Directory in the Windows platform. Although those directories are commonly meant to be used within the intranet environment, there are technologies (such as Active Directory Federation Services (ADFS) 2) which enable users in those directory to project their identities and attributes beyond the boundaries of their company network.
ACS can broker authentication between applications and identity providers of every type, social and business. If your ACS namespace is configured to trust one or more of those business identity provider, the ACS Extensions allow you to accept federated members from them. In practice, this means that you can integrate your Umbraco web site with Active Directory and any directory service capable of federation.
In the following tutorial you will learn how to configure ACS to trust a business identity provider, and how to manage access control for its members by defining how the incoming attributes map in Umbraco’s member groups.
Figure 45 - The members section before having configured any business sidentity provider
On the left hand side of the screen, under the Members root you’ll notice a node labeled Business Identity Providers. If the ACS namespace you used for setting up would have contained any relationship with business identity providers, the corresponding entries would have appeared here. On the right pane you’ll notice a warning which states that you have no business identity providers configured yet, and offers you a link to the section of the ACS portal that allows you to add one.
Figure 46 - The list of identity providers in the current ACS namespace
As expected, here you see the list of the social identity providers we’ve been using in the first tutorials. Let’s add one business identity provider. Click on the Add link.
Figure 47 - The first step of the Add Identity Provider flow
If you have an ADFS2.0 instance available, feel free to use it here. For the purposes of this tutorial, we are going to use SelfSTS, one simulation tool which mimics the behavior of a WS-Federation provider for testing purposes. Here we use the SelfSTS instance distributed in the FabrikamShipping SaaS companion, which you can download from here. After having extracted the content of the package, launch the SelfSTS instance in C:\FabrikamShippingSaaS_Companion\assets\OAuthSample\AdventureWorks.SelfSTS\SelfSTS.exe and hit the start button.
Figure 48 - The information that ACS requires for establishing trust with a business identity provider
Figure 49 - The list of trusted identity providers now includes AdventureWorks
Figure 50 - The existing set of ACS rules
Figure 51 - The extended rules set now includes AdventureWorks as well
Figure 52 - The Umbraco admin UI reflects the newly added business identity provider
Figure 53 - Create mapping rule popup dialog
Figure 54 - The new rule mappint AdventureWork’s salespeople to the Power Member s group
Figure 55 - The macro in the Login page automatically reflects the changes in the list of identity providers configured in ACS
The list of identity providers now include AdventureWorks. Make sure that the SelfSTS is running, then hit the AdventureWorks link: you will single sign on and access directly the Go further page, without any need to have a member provisioned. If you want to make a further verification, you can go back to the admin UI and modify the rule by entering clerks instead of sales in the Incoming Claim Value field, hit save and repeat the sequence above: this time the Power Members group is no longer assigned to the AdventureWorks Sales group, hence you will get Unauthorized.
Integrating with business identity providers is a very powerful feature per se: of course nothing prevents you from mixing and matching this with the social member feature.
This is super super sweet! Going to be implementing this on Monday, will let you know how it goes (: