Home Library Learn Samples Downloads Support Community Forums
MSDN Library
Online Services
Windows Azure
Identity
Windows Azure Active Directory
Access Control Service 2.0
ACS How To's
How to: Add Portal Administrators
How to: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key
How to: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS
How to: Authenticate with a Client Certificate to a WCF Service Protected by ACS
How to: Authenticate with a Username and Password to a WCF Service Protected by ACS
How to: Configure AD FS 2.0 as an Identity Provider
How to: Use ACS Management Service to Configure AD FS 2.0 as an Enterprise Identity Provider
How to: Configure Google as an Identity Provider
How to: Configure Facebook as an Identity Provider
How to: Use ACS Management Service to Configure Facebook as an Internet Identity Provider
How to: Configure Yahoo! as an Identity Provider
How to: Configure Trust Between ACS and WCF Service Using Symmetric Keys
How to: Configure Trust Between ACS and ASP.NET Web Applications Using X.509 Certificates
How to: Create an Access Control Namespace
How to: Create My First Claims-Aware ASP.NET Application Using ACS
How to: Create My First Claims-Aware ASP.NET Service Using ACS
How to: Delete an Access Control Namespace
How to: Host Login Pages in Your ASP.NET Web Application
How to: Implement Token Transformation Logic Using Rules
How to: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using WIF and ACS
How to: Implement Role Based Access Control (RBAC) in a Claims-Aware ASP.NET Application Using WIF and ACS
How to: Manage the Access Control Namespace for a Service Bus
How to: Request a Token from ACS via the OAuth WRAP Protocol
How to: Use an Error URL for Custom Error Handling
How to: Use ACS Management Service to Configure an OpenID Identity Provider
How to: Use ACS Management Service to Configure Certificates and Keys
How to: Use ACS Management Service to Configure Relying Party Applications
How to: Use ACS Management Service to Configure Rules and Rule Groups
How to: Use ACS Management Service to Configure Service Identities
Expand Minimize
2 out of 2 rated this helpful - Rate this topic

How to: Use ACS Management Service to Configure Rules and Rule Groups

Published: April 7, 2011

Updated: January 4, 2013

Applies To: Windows Azure

Applies To

  • Windows Azure Active Directory Access Control (also known as Access Control Service or ACS)

Overview

You can configure ACS rules and rule groups using either the ACS Management Portal (for more information, see Rule Groups and Rules) or the ACS Management Service. Working with the ACS Management Service can be more efficient if you are building a custom user interface for managing ACS or if you want to automate the onboarding of a new tenant for multi-tenant Software as a Service (SaaS) solutions.

Steps for Configuring Rules and Rule Groups using the ACS Management Service

ImportantImportant
Before performing the following steps, make sure that your system meets all of the .NET framework and platform requirements that are summarized in ACS Prerequisites.

To configure rules and rule groups using the ACS Management Service, complete the following steps:

Step 1 – Collect ACS Configuration Information

You can use the ACS Management Portal to collect the necessary configuration information. For more information about how to launch the ACS Management Portal, see ACS Management Portal.

To collect ACS configuration information

  1. Launch the ACS Management Portal. For more information about how to launch the ACS Management Portal, see ACS Management Portal.

  2. Get the value of the ACS management service account. You can use the default ManagementClient account. To view this value, in the ACS Management Portal, click Management service under the Administration section in the tree on the left-hand side of the page.

  3. Get the value of the ACS Management Service account password. To view this value, do the following:

    1. In the ACS Management Portal, click Management service under the Administration section in the tree on the left-hand side of the page.

    2. On the Management Service page, click ManagementClient under Management Service Accounts.

    3. On the Edit Management Service Account page, under Credentials, click Password.

    4. On the Edit Management Credential page, copy the value in the Password field.

  4. Get the name of your Windows Azure namespace from the Windows Azure portal or from the URL of your ACS Management Portal. For example, in http://contoso.accesscontrol.windows.net, the name is contoso.

  5. Get the ACS hostname. Usually, it is accesscontrol.windows.net.

Step 2 – Create a Sample Console Application

In this step, you create a sample console application that can run the code for adding your ACS rule groups and rules.

To create a sample console application

  1. Open Visual Studio 2012 and create a new console application project under the Windows installed template.

  2. Add the following code to the Program class and then assign serviceIdentityPasswordForManagement, serviceNamespace, and acsHostName variables to the appropriate configuration information that you collected in the previous step.

    Copy 
    public const string serviceIdentityUsernameForManagement = "ManagementClient";
public const string serviceIdentityPasswordForManagement = "My Password/Key for ManagementClient";
public const string serviceNamespace = "MyNameSpaceNoDots";
public const string acsHostName = "accesscontrol.windows.net";
public const string acsManagementServicesRelativeUrl = "v2/mgmt/service/";
static string cachedSwtToken;

Step 3 – Add References to the Required Services and Assemblies

In this step you identify and add the required dependencies to the services and assemblies.

To add the required dependencies to the services and assemblies

  1. Right-click References, click Add Reference, and add a reference to System.Web.Extensions.

    noteNote
    You might have to right-click your sample console application name in the Solution Explorer, select Properties, and change the target framework of your sample application from .NET Framework 4 Client Profile (assigned by default when you create a new console application) to .NET Framework 4.

  2. Right-click Service References, click Add Service Reference, and add a service reference to the Management Service. The Management Service URL is unique to your namespace and looks similar to the following:

    https://YOURNAMESPACE.accesscontrol.windows.net/v2/mgmt/service

  3. Add the following declarations, where MyConsoleApplication is the name of your console application and MyServiceReference is the name of your service reference:

    Copy 
    using System.Web;
using System.Net;
using System.Data.Services.Client;
using System.Collections.Specialized;
using System.Web.Script.Serialization;
using System.Globalization;
using System.Runtime.Serialization.Json; 
using MyConsoleApplication.MyServiceReference;

Step 4 – Implement the Management Service Client

In this step you implement the Management Service client.

To implement the Management Service client

  1. Add the following method to the Program class:

    Copy 
       public static ManagementService CreateManagementServiceClient()
        {
            string managementServiceEndpoint = String.Format(CultureInfo.InvariantCulture, "https://{0}.{1}/{2}",
                serviceNamespace,
                acsHostName,
                acsManagementServicesRelativeUrl);
            ManagementService managementService = new ManagementService(new Uri(managementServiceEndpoint));

            managementService.SendingRequest += GetTokenWithWritePermission;

            return managementService;
        }

  2. Add the following code to the Program class to create GetTokenWithWritePermission method and its helper methods. GetTokenWithWritePermission and its helpers add the SWT OAuth token to the Authorization header of the HTTP request.

    Copy 
    public static void GetTokenWithWritePermission(object sender, SendingRequestEventArgs args)
        {
            GetTokenWithWritePermission((HttpWebRequest)args.Request);
        }

        public static void GetTokenWithWritePermission(HttpWebRequest args)
        {
            if (cachedSwtToken == null)
            {
                cachedSwtToken = GetTokenFromACS();
            }

            args.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + cachedSwtToken);
        }

        private static string GetTokenFromACS()
        {
            //
            // Request a token from ACS
            //
            WebClient client = new WebClient();
            client.BaseAddress = string.Format(CultureInfo.CurrentCulture, 
                                               "https://{0}.{1}", 
                                               serviceNamespace, 
                                               acsHostName);

            NameValueCollection values = new NameValueCollection();
            values.Add("grant_type", "client_credentials");
            values.Add("client_id", serviceIdentityUsernameForManagement);
            values.Add("client_secret", serviceIdentityPasswordForManagement);
            values.Add("scope", client.BaseAddress + acsManagementServicesRelativeUrl);

            byte[] responseBytes = client.UploadValues("/v2/OAuth2-13", "POST", values);

            string response = Encoding.UTF8.GetString(responseBytes);

            // Parse the JSON response and return the access token 
            JavaScriptSerializer serializer = new JavaScriptSerializer();

            Dictionary<string, object> decodedDictionary = serializer.DeserializeObject(response) as Dictionary<string, object>;

            return decodedDictionary["access_token"] as string;

        }

Step 5 – Add a Rule Group

In this step you add a rule group using the Management Service client you created in the step above.

To add a rule group

  1. Initialize the Management Service client by adding the following code to the Main method in the Program class:

    Copy 
    ManagementService svc = CreateManagementServiceClient();

  2. Add your new rule group (you can call it “mygroup”, as shown in the code below) and save changes by adding the following code to the Main method in the Program class:

    Copy 
    RuleGroup rg = new RuleGroup();
            rg.Name = "mygroup";
            svc.AddToRuleGroups(rg);
            svc.SaveChanges(SaveChangesOptions.Batch);

Step 6 – Add a Rule

In this step you add a rule to the rule group you created in the previous step using the ACS Management Service.

To add a rule

  1. Establish a variable for "LOCAL AUTHORITY", which is a built-in issuer name that represents your Access Control namespace namespace, by adding the following code to the Main method in the Program class:

    Copy 
    
// "LOCAL AUTHORITY" is a built-in IDP name that represents the Access Control namespace. 
Issuer localAuthority = svc.Issuers.Where(m => m.Name == "LOCAL AUTHORITY").FirstOrDefault();

  2. Do one of the following:

    1. To add a basic rule, add the following code to the Main method in the Program class:

      Copy 
      
            //EXAMPLE #1 - BASIC RULE
            Rule basicRule = new Rule()
            {
                InputClaimType = "https://acs/your-input-type",
                InputClaimValue = "inputValue",
                OutputClaimType = "https://acs/your-output-type",
                OutputClaimValue = "outputValue",
            };

            basicRule.Description = string.Format(CultureInfo.InvariantCulture,
                "Transforms claim from {0} with type: {1}, value: {2}, into a new claim with type: {3}, value:{4}",
                "ACS",
                basicRule.InputClaimType,
                basicRule.InputClaimValue,
                basicRule.OutputClaimType,
                basicRule.OutputClaimValue);

            svc.AddToRules(basicRule);
            svc.SetLink(basicRule, "RuleGroup", rg);
            svc.SetLink(basicRule, "Issuer", localAuthority);                                              
              svc.SaveChanges(SaveChangesOptions.Batch);
    2. To add a rule that passes through a specific input claim and value, add the following code to the Main method in the Program class:

      Copy 
      //EXAMPLE #2 - PASSTHROUGH SPECIFIC TYPE AND VALUE RULE
            Rule passthroughSpecificClaimRule = new Rule()
            {
                InputClaimType = "https://acs/your-input-type2",
                InputClaimValue = "inputValue2",
            };

            passthroughSpecificClaimRule.Description = string.Format(CultureInfo.InvariantCulture,
                "Passthough claim from {0} with type: {1}, value: {2}",
                "ACS",
                passthroughSpecificClaimRule.InputClaimType,
                passthroughSpecificClaimRule.InputClaimValue);

            svc.AddToRules(passthroughSpecificClaimRule);
            svc.SetLink(passthroughSpecificClaimRule, "RuleGroup", rg);
            svc.SetLink(passthroughSpecificClaimRule, "Issuer", localAuthority); 
svc.SaveChanges(SaveChangesOptions.Batch);
    3. To add a rule that passes through the value of a specific input claim, add the following code to the Main method in the Program class:

      Copy 
      //EXAMPLE #3 PASSTHROUGH SPECIFIC TYPE RULE
            Rule passthroughAnyClaimWithSpecificTypeRule = new Rule()
            {
                InputClaimType = "https://acs/your-input-type3",
            };

            passthroughAnyClaimWithSpecificTypeRule.Description = string.Format(CultureInfo.InvariantCulture,
                "Passthough claim from {0} with type: {1}, and any value",
                "ACS",
                passthroughSpecificClaimRule.InputClaimType);

            svc.AddToRules(passthroughAnyClaimWithSpecificTypeRule);
            svc.SetLink(passthroughAnyClaimWithSpecificTypeRule, "RuleGroup", rg);
            svc.SetLink(passthroughAnyClaimWithSpecificTypeRule, "Issuer", localAuthority); 
svc.SaveChanges(SaveChangesOptions.Batch);
    4. To add a rule that passes through any input claim that matches a specific value, add the following code to the Main method in the Program class:

      Copy 
      //EXAMPLE #4 PASSTHROUGH ANY CLAIM W/SPECIFIC VALUE RULE
            Rule passthroughAnyClaimWithSpecificValueRule = new Rule()
            {
                InputClaimValue = "inputValue3",
            };

            passthroughAnyClaimWithSpecificValueRule.Description = string.Format(CultureInfo.InvariantCulture,
                "Passthough claim from {0} with any type, and specific value {1}",
                "ACS",
                passthroughSpecificClaimRule.InputClaimValue);

            svc.AddToRules(passthroughAnyClaimWithSpecificValueRule);
            svc.SetLink(passthroughAnyClaimWithSpecificValueRule, "RuleGroup", rg);
            svc.SetLink(passthroughAnyClaimWithSpecificValueRule, "Issuer", localAuthority); 
svc.SaveChanges(SaveChangesOptions.Batch);
    5. To add a rule that transforms a certain input claim type into a different output claim type but passes through (retains) the claim value, add the following code to the Main method in the Program class:

      Copy 
      //EXAMPLE #5 COMPLEX RULE
            Rule complexTransformationRule = new Rule()
            {
                InputClaimType = "https://acs/your-input-type4",
                OutputClaimType = "https://acs/your-output-type2",
            };

            complexTransformationRule.Description = string.Format(CultureInfo.InvariantCulture,
                "Transforms claim from {0} with type: {1}, and any value, into a new claim with type: {2}, keeping(passingthough) old value",
                "ACS",
                complexTransformationRule.InputClaimType,
                complexTransformationRule.OutputClaimType);

            svc.AddToRules(complexTransformationRule);
            svc.SetLink(complexTransformationRule, "RuleGroup", rg);
            svc.SetLink(complexTransformationRule, "Issuer", localAuthority);

            svc.SaveChanges(SaveChangesOptions.Batch);

See Also

Concepts

ACS How To's

Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.