Friday, May 9, 2014

How to Authenticate MVC5 Web Users with Azure Active Directory Access Control ACS

Friday, May 09, 2014 Posted by Andre Broers , , , ,
In this example I will show how to do authentication with Azure ACS from an MVC 5 web application. For this example I will use Visual Studio 2013. But we will start with some work in the Azure Management Portal.
The first thing we do is create a new Access Control Namespace. Click new in the bottom of the portal and select Access Control - Quick Create and type a unique namespace name (in my case my1stacs) and select your region.

Click create to create the new ACS namespace. Now select the tab ACCESS CONTROL NAMESPACES to find your new namespace. Select it and click on MANAGE in the bottom.

Now it is time to fire up Visual Studio and create our MVC 5 Website.
Open Visual Studio 2013 and click New Project. Select an ASP.NET Web Application, give it a location and a name and click OK.

Select MVC as the template and click on Change Authentication. Choose Organizational Accounts and select On-Premises as option. (On-Premises? Yes :-) )

Now go back to our ACS management portal and click on Development Application integration on the left and select the WS-Federation Metadata url.

Copy this url and paste it in the On-Premises Authority field in Visual Studio.

You can leave the App ID URI empty. You can change this value later when you deploy to another location in the web.config.
Click OK. And again on OK. Our web application is being generated.

Check the web.config for our Realm.

Now go back to our ACS management portal and create a new Relying Partner (our web application).
Click Trust relationships - Relying party application and click Add.

Type the Name and the Realm and the Return URL. The Realm and the Return URL are the same and are as seen in the web.config.

Leave the rest default and press Save on the bottom of the form.

We have now created a Relying party for the default Windows Live provider.

And it has created a default rule group.

Open this Rule Group and click on the Default rule group:

Now click on generate to add the default rule where it copies a claim from the Windows Live Provider to our ACS Relying Party.

Click on generate and Save.

How to implement ACS Single Sign-off functionality

Now go back to Visual Studio. The first thing we want to create is a logoff button so we can logoff and retry our demo without removing cookies etc.etc.

Edit the file _LoginPartial.cshtml

So that it looks like this:

In this you have to change the hostname to the one of your acs and the wtrealm to your realm and the last link is the one of the page to return to after the logoff. In our case the home page where you get redirected again to the Windows Live login page.

Try running the WebApplication. You immediately get redirected to the login page. When you login to the Identity Provider it wil redirect you to the home page of you application. Use the logoff link to disconnect again.

Only protect a certain area of the site

In the next example we only gonna protect the About page. So all pages of our Web Application are open but when you link to the About page you have to authorise. It's as simple as we always did with ASP.NET web applications by editing the web.config file:

Lets comment out both authorisation sections from the web.config so that we have no authentication on our web application anymore.
Next open up the HomeContoller.cs and add an Authorize attribute to our About method.

When we run our WebApplication1 we can browse our app freely as long as we stay away from the About page. (If you are still connected hit the logoff link to sign out and see that you can still access the web application). When you click the About page you will get redirected to Windows Live to logon and after this you will get redirected to the About page.

How to access the claims we got from ACS?

Use the following code to access the claims from the connected user:

Happy .netting