Authenticate Office 365 Users with Microsoft Dynamics CRM Online Web Services
This documentation applies to customers who access Microsoft Dynamics CRM Online through a Microsoft Office 365 subscription. There are multiple Microsoft Dynamics CRM Online identity providers that must be dealt with when coding an application for connecting to the Organization or Discovery web services. These providers can be identified as: managed domain, federated, and Windows Live ID. In this topic, authentication with managed domain and federated identities are discussed. For more information about how to connect to the web services through the Windows Live ID identity provider, see Active Directory and Claims-Based Authentication.
The following sections detail how to authenticate with the different Office 365 identity provider configurations of Microsoft Dynamics CRM Online.
Use the Service Proxy Classes
OrganizationServiceProxy and DiscoveryServiceProxy are the preferred classes to use when authenticating with Microsoft Dynamics CRM 2011 and Microsoft Dynamics CRM Online web services. These classes handle the work of setting up a WCF channel to the web services, automatic allocation of resources, claims and federated authentication, and handling of certain exceptions. By using the service proxy classes in your application code, you can concentrate about how to develop business related application code.
To authenticate Office 365 users, a service proxy object is obtained through a call to the ServerConnection.GetOrganizationProxy helper code method.
OrganizationServiceProxy _serviceProxy = ServerConnection.GetOrganizationProxy(serverConfig)
You must create these proxy objects in a using statement to correctly dispose of the service proxy or call Dispose directly. For sample code that uses the GetOrganizationProxy helper code method, see Sample: Quick Start for Microsoft Dynamics CRM 2011 and Microsoft Dynamics CRM Online.
 Note |
|---|
| A public GetDiscoveryProxy method will be available in a future SDK release. In the interim, if you need to access the Discovery service for managed or federated users in Microsoft Office 365, refer to the sample code in the topic Sample: Authenticate Users with Microsoft Dynamics CRM Web Services. |
The next section provides more detailed information about the code that is employed in the GetOrganizationProxy methods for those individuals who want to write the authentication code themselves and not use the helper code or just to better understand how authentication is performed.
Authentication Deep Dive
The previous discussion introduced two helper methods that can be used to authenticate a user with the Microsoft Dynamics CRM web services. The following information shows how to authenticate the user without using the helper code. The complete sample from which the following examples were taken can be found in the topic Sample: Authenticate Users with Microsoft Dynamics CRM Web Services.
The following sample code demonstrates the classes and methods that you can use to authenticate an Office 365 user using the Microsoft Dynamics CRM Online web services without using the GetOrganizationProxy helper method.
IServiceManagement<IOrganizationService> orgServiceManagement =
ServiceConfigurationFactory.CreateManagement<IOrganizationService>(
new Uri(organizationUri));
// Set the credentials.
AuthenticationCredentials credentials = GetCredentials(endpointType);
// Get the organization service proxy.
using (OrganizationServiceProxy organizationProxy =
GetProxy<IOrganizationService, OrganizationServiceProxy>(orgServiceManagement, credentials))
{
// This statement is required to enable early-bound type support.
organizationProxy.EnableProxyTypes();
// Now make an SDK call with the organization service proxy.
// Display information about the logged on user.
Guid userid = ((WhoAmIResponse)organizationProxy.Execute(
new WhoAmIRequest())).UserId;
SystemUser systemUser = organizationProxy.Retrieve("systemuser", userid,
new ColumnSet(new string[] { "firstname", "lastname" })).ToEntity<SystemUser>();
Console.WriteLine("Logged on user is {0} {1}.",
systemUser.FirstName, systemUser.LastName);
}
The code creates an IServiceManagement object for the Organization service. A object of type AuthenticationCredentials is used to contain the user’s logon credentials. The IServiceManagement object is then passed to the OrganizationServiceProxy constructor to obtain the web service proxy reference.
/// <summary>
/// Obtain the user’s authentication credentials for a specified identity provider.
/// </summary>
/// <param name="endpointType">An identity provider type.</param>
/// <returns>The credentials of the logged on user.</returns>
private AuthenticationCredentials GetCredentials(AuthenticationProviderType endpointType)
{
AuthenticationCredentials authCredentials = new AuthenticationCredentials();
switch (endpointType)
{
case AuthenticationProviderType.ActiveDirectory:
authCredentials.ClientCredentials.Windows.ClientCredential =
new System.Net.NetworkCredential(_userName,
_password,
_domain);
break;
default: // For Federated and OnlineFederated identities.
authCredentials.ClientCredentials.UserName.UserName = _userName;
authCredentials.ClientCredentials.UserName.Password = _password;
// Alternately, for OnlineFederated single-sign on, you could just use current
// UserPrincipalName instead of passing the user name and password.
// Example: authCredentials.UserPrincipalName = UserPrincipal.Current.UserPrincipalName;
break;
}
return authCredentials;
}
The AuthenticationCredentials object is configured according to the subscribed identity for the logged on user.
private TProxy GetProxy<TService, TProxy>( IServiceManagement<TService> serviceManagement, AuthenticationCredentials authCredentials) where TService : class where TProxy : ServiceProxy<TService> { Type classType = typeof(TProxy); if (serviceManagement.AuthenticationType != AuthenticationProviderType.ActiveDirectory) { AuthenticationCredentials tokenCredentials = serviceManagement.Authenticate(authCredentials); // Obtain discovery/organization service proxy for Federated, LiveId and OnlineFederated environments. // Instantiate a new class of type using the 2 parameter constructor of type IServiceManagement and SecurityTokenResponse. return (TProxy)classType .GetConstructor(new Type[] { typeof(IServiceManagement<TService>), typeof(SecurityTokenResponse) }) .Invoke(new object[] { serviceManagement, tokenCredentials.SecurityTokenResponse }); } // Obtain discovery/organization service proxy for ActiveDirectory environment. // Instantiate a new class of type using the 2 parameter constructor of type IServiceManagement and ClientCredentials. return (TProxy)classType .GetConstructor(new Type[] { typeof(IServiceManagement<TService>), typeof(ClientCredentials) }) .Invoke(new object[] { serviceManagement, authCredentials.ClientCredentials }); }
For all deployments other than on-premises (Active Directory), the Authenticate method is invoked followed by instantiating the service proxy. Notice that the authentication credentials returned from Authenticate contain the security token response that is used in the service proxy constructor. The generic GetProxy method shown previously can be used to obtain a object reference to either OrganizationServiceProxy or DiscoveryServiceProxy.
See Also
Send comments about this topic to Microsoft.
© 2012 Microsoft Corporation. All rights reserved.
