Home Library Learn Samples Downloads Support Community Forums
1 out of 5 rated this helpful - Rate this topic

Code Sample: WCF Federated Authentication With AD FS 2.0

Published: May 4, 2011

Updated: January 4, 2013

Applies To: Windows Azure

This sample illustrates how to implement federated authentication using Windows Azure Active Directory Access Control (also known as Access Control Service or ACS) and an Active Directory Federation Services (AD FS) 2.0 identity provider with a WCF relying party web service. The sample includes a WCF service and a WCF client as command line applications. The WCF service requires client authentication using a SAML token from ACS, which is obtained via another SAML token acquired from an AD FS 2.0 identity provider. The web service client requests a SAML token from AD FS 2.0 using Windows Authentication, and then exchanges this token for the ACS token required to access the WCF service. The code for this sample is located in the Acs2FederationSample (C#\WebServices\Acs2FederationSample) subdirectory of the Windows Azure Active Directory Access Control (ACS) Code Samples package.

Prerequisites

To run this sample, you will need:

  1. An account in the Windows Azure homepage (http://go.microsoft.com/fwlink/?LinkId=130560) and an Access Control namespace

  2. Visual Studio 2010 (any version)

  3. Windows Server 2008

  4. AD FS 2.0 and its requirements. For more information about AD FS 2.0 and its requirements, see Checklist: Setting Up a Federation Server (http://go.microsoft.com/fwlink/?LinkId=182177).

For more details, see ACS Prerequisites (http://go.microsoft.com/fwlink/?LinkId=221065).

Configuring the Sample

The ACS configuration required for this sample can be performed using either the ACS Management Portal or the ACS Management Service. This topic describes both options.

  • Option 1: Configuring the sample using the ACS Management Portal

  • Option 2: Configuring the sample using the ACS Management Service

Since the sample uses AD FS 2.0 as the federation server, AD FS 2.0 must be installed and configured in your environment. For more information about installing AD FS 2.0, see Checklist: Setting Up a Federation Server (http://go.microsoft.com/fwlink/?LinkId=182177).

Option 1: Configuring the Sample Using the ACS Management Portal

To configure the sample using the ACS Management Portal

  1. Go to the Windows Azure Management Portal, sign in, and then click Active Directory.

  2. To create an Access Control namespace, click New, click App Services, click Access Control, and then click Quick Create. (Or, click Access Control Namespaces before clicking New.)

  3. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

    This action opens the Access Control Service management portal.

  4. To add AD FS 2.0 as your identity provider, you will need your WS-Federation metadata document, which is hosted in your AD FS 2.0 server at /FederationMetadata/2007-06/FederationMetadata.xml. For example, if your AD FS 2.0 server is installed on a computer with the name contoso.com, then the metadata URL will be: https://contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

    If the server running AD FS 2.0 is accessible from the Internet and not placed behind a firewall, then you can use this URL directly. Otherwise, you will need to save this document to your computer and upload it to ACS when adding your identity provider.

  5. Click Identity Provider and then click Add.

  6. Select WS-Federation identity provider and click Next. Complete the form either by entering the URL or using the saved file, depending on the metadata document’s location.

  7. To register your application with ACS, click Relying party applications, click Add, and enter the following information in the form:

    • In the Name field, enter Federation Sample RP

    • In the Realm field, enter http://localhost:7200/Service/Default.aspx

    • In the Token format field, select SAML 2.0

    • In the Token encryption policy field, select Require Encryption

    • In the Identity Providers field, select the AD FS 2.0 identity provider added in the previous step

    • For Token signing, select Use a dedicated certificate and select the ACS2SigningCertificate.pfx file, located in the Certificates folder of this sample. Enter a password of password.

    • For the Token encryption certificate, select the WcfServiceCertificate.cer file in the Certificates folder of this sample and save the settings.

  8. Click Save.

  9. To create the rules that determine the claims that ACS will issue to your application, click Rule Groups. Select Default Rule Group for Federation Sample RP, click Generate, select AD FS 2.0, and then click Generate.

    This process creates pass-through rules for AD FS 2.0 based on the claim types present in the WS-Federation metadata.

  10. To add the decryption certificate, click Certificates and keys, and then click the Add link for Token Decryption. ACS uses this certificate to decrypt incoming tokens from the AD FS 2.0 identity provider.

  11. In the Certificate field, browse to the Certificates folder of this sample and select ACS2DecryptionCert.pfx. The password for this certificate is password.

  12. Click Save to complete the form.

Option 2: Configuring the Sample Using the ACS Management Service

The Visual Studio sample solution contains a console application called ConfigureSample that uses the ACS Management Service and the common helpers defined in the Common class library. This application can be used to configure your Access Control namespace for use with this sample.

To configure the sample using the ACS Management Service

  1. To configure the sample, open SamplesConfiguration.cs (acs\Management\ManagementService\Common). Replace the placeholders in the SamplesConfiguration class in the Common class library with information about your Access Control namespace. You can find the information in the ACS Management Portal.

    To navigate to the ACS Management Portal: Go to the Windows Azure Management Portal, sign in, and then click Active Directory. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

    • ServiceNamespace - Enter the name of your Access Control namespace.

    • ManagementServiceIdentityName - Enter the name of an ACS management service account. The default is ManagementClient.

      To find the management service account name, in the ACS Management Portal, click Management service. The accounts are listed by name under Management Service Accounts.

    • ManagementServiceIdentityKey - Enter the password for the management service account.

      To find the management service account password, in the ACS Management Portal, click Management service. Click the name of a management service account, and then, under Credentials, click Password. The password appears in the Password field. To copy the password, click Show Password.

  2. Update the following metadata related settings in Program.cs in ConfigureSample:

    • IdentityProviderMetadataUrl - This is the URL for the WS-Federation metadata of your AD FS 2.0. This setting can be found in the AD FS 2.0 console under Service\Endpoints.

    • entityId - This is the issuer name that ACS will use for your AD FS 2.0 identity provider. In the metadata document, this is the entityID attribute’s value for the EntityDescriptor node.

  3. Run the ConfigureSample application in Visual Studio. This will configure ACS to run this sample.

Configuring AD FS 2.0

With ACS configured, we need to configure the AD FS 2.0 end points to allow mixed-mode windows authentication and create a relying party trust with ACS.FS 2.0 end points to allow mixed-mode windows authentication and create a relying party trust with ACS.

To configure AD FS 2.0

  1. On the server running AD FS 2.0, open the AD FS 2.0 management console.

  2. Expand Service and select Endpoints. Right-click the /adfs/services/trust/13/windowsmixed endpoint and enable it.

  3. To restart the AD FS 2.0 service, open an elevated command prompt and type the following command net stop adfssrv && net start adfssrv

  4. To add the relying party trust for ACS, right-click Relying Party Trusts and select Add Relying Party Trust.

  5. In this wizard, you will enter your Federation metadata for ACS which is located at https://<your namespace>.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml. Note that this information can be also found in the Application Integration page of the ACS Management Portal.

  6. To open the rule editor, follow the steps in the AD FS 2.0 configuration wizard (enter a display name, select Permit all users to access to this relying party). Before clicking Finish, ensure that the checkbox Open the Edit Claim Rules dialog is selected.

  7. In the rule editor select Add Rule, click Next, and enter the following information:

    • Enter a display name for the rule

    • In the Attribute store drop-down list, select Active Directory

    • In the LDAP Attribute column, select E-Mail-Addresses

    • In the Outgoing Claim Type column, select E-Mail Address

  8. To complete the wizard, click Finish.

Running the sample

To run the sample

  1. Open the sample in Visual Studio. The solution consists of two main projects: WcfService and WcfClient.

  2. If you have not already done so, enter your Access Control namespace details in Common\SamplesConfiguration.cs. For more information about the Access Control namespaceaof Option 2: Configuring via the ACS Management Service above. This file is also used by the WcfService and WcfClient projects.

  3. Open the App.config files in the WcfClient project.

  4. Enter your IdpEndpointAddress under the AppSettings element. You can find this information in your AD FS 2.0 endpoint settings. In a typical configuration, this address will be https://<your-server>/adfs/services/trust/13/windowsmixed. Below is a code snippet showing this area of the Client App.config file.

    Copy 
    <appSettings>

   <!-- Idp configuration 

         This configuration depends on the idp binding used -->

   <add key="IdpEndpointAddress" value="https://contoso.com/adfs/services/trust/13/windowsmixed"/>

      <!-- Service configuration -->

   <add key="ServiceAddress" value="http://localhost:7200/Service/Default.aspx"/>

   <add key="ServiceCertificateFilePath" value="..\..\..\Certificates\WcfServiceCertificate.cer"/>

</appSettings>

  5. Open the App.config file in WcfService project and set your IdpEndpointAddress with the same value you used to set the IdpEndpointAddress in Step 3:

    Copy 
    <appSettings>

   <!-- ACS v2 configuration -->

   <add key="AccessControlSigningCertificateFilePath" value="..\..\..\Certificates\ACS2SigningCertificate.cer"/>

   <!-- Idp configuration 

         This configuration depends on the idp binding used -->

   <add key="IdpEndpointAddress" value="https://contoso.com/adfs/services/trust/13/windowsmixed"/>   

   <!-- Service configuration -->

   <add key="ServiceAddress" value="http://localhost:7200/Service/Default.aspx"/>

   <add key="ServiceCertificateFilePath" value="..\..\..\Certificates\WcfServiceCertificate.pfx"/>

   <add key="ServiceCertificatePassword" value="password"/>

</appSettings>

  6. To run the sample, start the WcfService and then start the WcfClient. At the client, enter a string to reverse.

Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.