CHAPTER 9CHAPTER 9

AUTHENTICATING USERS WITH

.NET ACCESS CONTROL SERVICES

CONTENTS¢Creating the .NET Services Solution¢Installing the .NET Services SDK and other

Tools¢Crating the CardSpace Credentials at

Federatedidentity.netFederatedidentity.net¢ Using a Managed CardSpace¢Credential with ACS.

2

INTRODUCTION

¢ .NET Access Control Services (ACS) is one of .NET Servicefor Windows Azure Platform.

¢ ACS is a customizable, uses cloud-based Security TokenService (STS) that supports user authentication by any of thefollowing credentials:

¢❑ User (solution) name and password¢❑ User (solution) name and password

¢❑ Windows Live ID

¢❑ Windows CardSpace

¢❑ X.509 certificate

¢❑ Security Assertion Markup Language (SAML) tokens issued by third-party STSs

3

SAML

¢ SAML as ‘‘an XML-based standard for exchangingauthentication and authorization data betweensecurity domains, that is, between an identityprovider (a producer of assertions) and a serviceprovider (a consumer of assertions).’’provider (a consumer of assertions).’’

4

INTRODUCTION

¢ ACS is an STS infrastructure hosted in Windows Azure thatauthenticates credentials and issues tokens.

¢ ACS also provides a role-based authorization frameworkthat relies on claims-based rules.

¢ Integrating ACS with an Azure WebRole or other .NET¢ Integrating ACS with an Azure WebRole or other .NETapplications requires installing the Windows IdentityFoundation SDK.

5

INTRODUCTION

¢ It builds on the Windows Communication Foundation(WCF) infrastructure to implement WS-Trust and comeswith an HttpModule called the WS-FederationAuthentication Module (FAM) that simplifiesimplementation.

¢ WS-Federation is the web services (WS-*) specification for¢ WS-Federation is the web services (WS-*) specification forfederating identities from a variety of sources (domains) tosimplify sharing services from secure web sites and SOAP-based services

6

CREATING .NET SERVICES SOLUTION

¢ You must create a .NET Services solution before you cantake advantage of ACS and ‘‘Geneva’’ Framework features.

¢ A .NET Services solution provides all three .NET Services —ACS, Service Bus, and Workflow Services

7

CREATING .NET SERVICES SOLUTION

¢ To create .NET Services go tohttp://portal.ex.azure.microsoft.com/ and accept the Termsof Use to open the My Subscriptions page.

¢ Click the Add Solution link to open the Create Solution page,type a unique name for the solution

¢ Click the Validate Name link to test for uniqueness (seeFigure 9-1),

8

¢ Figure 9-1: Assign a unique name for the .NET Services solution

9

¢ click OK to add the solution to the My Subscriptions page and start the provisioning process (see Figure 9-2).

10

Figure 9-2: The Create Solution page displays a row for each service solution you add.

¢ Click the Access Control Service link to open the Manage theMicrosoft .NET Access Control page (see Figure 9-3).

11

MICROSOFT GENEVA

¢ Its is web identity framework.

¢ ‘‘Geneva’’ consists of the following three components:

¢❑ Windows Identity Foundation (‘‘Geneva’’ Framework) forbuilding .NET applications that use claims to make useraccess decisions

¢❑ Active Directory Federation Services (‘‘Geneva’’ Server)security token service (STS) for issuing and transformingclaims, enabling federations, and managing user access

¢❑ Windows CardSpace (Windows CardSpace ‘‘Geneva’’) forhelping users navigate access decisions and for developers tobuild customer authentication experiences for users

12

CREATING CARDSPACE CREDENTIALS AT

FEDERATED IDENTITY. NET

¢ Microsoft’s Identity Lab (Identity Protocols Security TokenService, ipsts) is a set of hosted security token services tosupport testing of Identity Protocols.

¢ The goal of the lab is to provide a set of custom testendpoints to evaluate the interoperability of Identity Protocols,including Microsoft CardSpace, among multiple partners andincluding Microsoft CardSpace, among multiple partners andvendors

¢ Microsoft promotes its CardSpace credentials as an industry-standard, SAML v1.1-compliant source of identityinformation.

13

¢ To obtain a managed CardSpace information card, browse to theMicrosoft Identity Lab’s Logon page.

¢ click the Sign Up button to open the Registration page. Type afictitious name in the Username text box, a password in thePassword and Confirm Password text boxes, and mark the AcceptTerms of Use check box

14

¢ Click Submit to open the Claims Configuration page. Acceptthe default (marked) setting for the By Default, Release theFollowing Claims to Any Relying Party check box.

15These are the minimum claims required by most relying parties. Type fictitious names in the First Name and LastName text boxes and accept the referring party’s Email Address

¢ Click Continue to open the Edit Profile Information/ManageRelying Party Policies page that lets you add to and edit theinformation you entered.

16

¢ Click the Edit Profile Information Link to open an expanded version of the Claims Configuration page. Mark their selection for your default profile by marking

¢ the four associated check boxes

17

¢ Click Submit to return to the Edit Profile Information/ManageRelying Party Policies page, click Save.

¢ Click the EditView button to open the Edit a Policy page

¢ Mark the check boxes for the profile items you want to release,click Browse, and navigate to the public key file for ACS that’sincluded in the Azure Services Toolkit

¢ Click Save to save your changes and return to the Edit ProfileInformation

18

19

¢ Now Click the Download Your Username/Password cardbutton to open the File Download dialog for theInformationCard.crd file, and click Yes when asked whetheryou want to save the card with Windows CardSpace on yourlocal computer.

¢ This adds the CardSpace Information Card credential to the Windows CardSpace Control Panel toolWindows CardSpace Control Panel tool

20

21

USING A MANAGED CARDSPACE CREDENTIAL

WITH ACS

¢ Figure 9-10 shows the seven primary interactions betweenService Requesters, Access Control solutions and RelyingParties when using managed CardSpace Information Cardsissued by a third-party IP.

22

23

CONFIGURING FEDERATEDIDENTITY.NET AS A

RECOGNIZED TOKEN ISSUER

¢ Navigate to the Manage Solution page. Sign in withthe credential you used to create the oakleaf-acssolution

¢ navigate to and click the oakleaf-acs solution’s¢ navigate to and click the oakleaf-acs solution’sAccess Control Service link to open theSolutionoakleaf-acs page.,

¢ click the Manage Scopes button to open the Scopes page, and open the Solution Name list

24

25

¢ Select service bus in the Solution Name list to add a new scope for the Service Bus project and click the Manage link to open the Scope Management: Rules page

26

¢ Click the Issuers link to open the Scope Management: Issuers page and click the Add Issuer button to open the Scope Management: Add Issuers page

¢ Type a friendly name, FederatedIdentityNet in the Display Name text box

27

¢ Click Save to recognize the new token issuer and return to the Scope Management: Issuers page in last page

¢ Click the Rules link to open the Scope Management: Rules page

28

¢ To understand how rules work, click the Edit link of the firstinput claim to display the Scope Management: Edit Rule page

29

¢ And add The Input Claim(s): Type list lets youselect one of the custom claim types, Value text boxcontains the value to be matched for the rule to takeeffect; Issuer text box contains the scope name

¢ The Output Claim(s): Type list contains the sameeight choices as the Input Claims(s):Value text boxfor the Action type contains Send to send the Inputto the Output Claim.

30

¢ To add the required Group claim. Click the ClaimTypes link to open the Claim Types list.

¢ Click Add Claim Types to open the Add Claim Typeform, type Group in the Display Name text box,form, type Group in the Display Name text box,and click Save to save your substitution. and returnto the Scope Management

31

32

Adding the Group rule to the scope

33

34

35

36

VERIFYING THE MANAGED CARDSPACE CARD(S) WITH THE ECHOSERVICE

¢ The Federation.sln solution’s Service and Client projects arecommand-line applications for a sample WCF EchoService.

¢ The service simply echoes the text sent to it by invoking theEcho(string text) method

¢ To test it Open Federation.sln in VS 2008, right-click Solution¢ To test it Open Federation.sln in VS 2008, right-click SolutionExplorer’s Service node and choose Debug.

¢ Start New Instance to start the WCF service and open theconsole window.

¢ Type the ACS solution name press Enter, type yoursolution’s password, and press Enter

37

38

¢ Start the Client project by right-click the Client Node and choose Debug, Start New Instance.

¢ Type the solution name, and press Enter

39

¢ After a few seconds, Windows CardSpace’s Do You Want toSend a Card to This Site dialog opens to let you select themanaged card to send to the site

40

¢ Click the Yes, Choose a Card to Send link to open the Choose a Card

41

¢ Select the ipsts.federatedidentity.net card and click the Preview button to open a Do You Want to Send

42

¢ Click Retrieve to update the CardSpace credential with recently modified data

43

¢ Click Send to open the Enter Your Password dialog

44

¢ Type the password for your FederatedIdentity.net account and click OK to send the token to your ACS solution and echo the message as shown in Figure 9-27.

45

THANK YOUTHANK YOU

46

47