Federated Authentication for Windows Azure Service Bus

Authors: Jaime Alva Bravo, Mike Wasson

This article shows how to use your current Active Directory Federation Services (ADFS) authentication with Windows Azure Service Bus.

Windows Azure Service Bus enables on-premise systems to communicate with applications running on Windows Azure, or with systems on other networks.

Figure 1. Using Service Bus to communicate with on-premise systems.

When using Service Bus, authentication is an critical feature to consider. To prevent unauthorized users from sending or receiving messages, you must secure your Service Bus namespace using Windows Azure Active Directory Control (ACS). One option is to create a shared secret, which is essentially a name and password. However, this option requires that you manage a separate set of passwords, revoke them if needed, and so on.

Your on-premise systems already use authentication. In a Windows environment, you probably use Active Directory. Instead of rolling out new authentication methods for the cloud, you can leverage your existing authentication. Users log in with their normal domain credentials, and Active Directory Federation Services (ADFS) authenticates the user to ACS (Figure 2). Now you can manage user credentials in a single place. You can also use domain security groups to control Service Bus permissions.

Figure 2. Authenticating Service Bus with ADFS.

Prerequisites

• A Windows Azure subscription.
  
  
• ADFS 2.0 installed on an on-premise computer, and administrative rights to the server.
  
  
• The Federation Service component of ADFS. For more information, see Install the Federation Service component of ADFS
  
  
• Windows Azure client libraries.
  
  
• Windows Identity Framework SDK
  
  

This article assumes that you are familiar with brokered messaging in Windows Azure Service Bus. For more information, see Queues, Topics, and Subscriptions. The code example in the article uses Service Bus queues, but the same principles apply to topics and subscriptions.

Terminology

The terminology used in ACS and ADFS can get somewhat confusing. Here are the main terms to understand:

• Claim: A statement about a subject. For example, “User A belongs to security group B.” Claims can be used to grant permissions. For example, you might allow users in security group B to create new service bus queues, while users in security group C have only Send and Receive permissions.
  
  
• Identity Provider: A service that authenticates a user’s identity. In this article, ADFS is the identify provider.
  
  
• Relying party: The application that consumes ADFS claims. In this article, Service Bus is the relying party.
  
  
• Relying party trust: An ADFS object that maintains the relationship with the relying party.
  
  
• Rule group: Rules that define which claims are passed from the identity provider (ADFS) to the relying party application (Service Bus). A rule group also defines mappings, so that claims from the identity provider translate into claims that are meaningful to the relying party application.
  
  
• Security Assertion Markup Language (SAML) token: The data format that ADFS uses to present claims to the relying party.
  
  

Create a Service Bus Namespace

First, use the Windows Azure Platform Management Portal to create a Service Bus namespace. Follow the steps listed in How to: Create or Modify a Service Bus Service Namespace.

When the Service Bus namespace is activated, click Access Key, and then click Open ACS Management Portal. The name of your Service Bus namespace appears at the top of the portal in the Service Namespace field with a "-sb" suffix. For example, if your Service Bus namespace is "Contoso," it is displayed as "Service Namespace: Contoso-sb".

Then get the URI for WS-Federation Metadata, as follows:

1. Click Application Integration.

2. In the Endpoint Reference table, look for “WS-Federation Metadata”. Copy this URI.

For example, if the Service Bus namespace is “contoso,” the URI is https://contoso-sb.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml.

Add a Relying Party Trust to ADFS

Next, add a relying party trust to ADFS.

1. To open the ADFS 2.0 Management Console, click Start, point to Administrative Tools, and then click AD FS 2.0 Management.

2. Under the AD FS 2.0\Trust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Import Data. Paste in the WS-Federation Metadata URI that you got from the Windows Azure Management Portal. (See the previous section.)

   

5. On the Specify Display Name page, choose a display name.

6. On the Choose Issuance Authorization Rules page, select “Permit all users to access this relying party.”

7. Click Next to finish the wizard.

8. In the Edit Claim Rules dialog, click OK.

Enable the ADFS Identity Provider in Windows Azure ACS

In the Windows Azure Management Portal, add the ADFS identity provider.

1. In the Management Portal, click Service Bus.

2. Select your Service Bus namespace.

3. Click Access Key.

4. Click Open ACS Management Portal.

5. Under Trust Relationships, click Identity Providers.

6. Click Add.

7. Select WS-Federation identity provider.

8. Click Next.

9. Under Display name, enter a display name, such as “Contoso ADFS”.

10. Under WS-Federation metadata, choose one of the following options:

    • Enter the URL to the Federation Metadata endpoint: https://hostname/FederationMetadata/2007-06/FederationMetadata.xml.
      
      
    • Open the Federation Metadata endpoint URI in a local browser window, save the XML file, and upload this file to the Windows Azure Management Portal.
      
      

11. Under Login link text, enter a login link name

12. Under Used By, select Service Bus as the relying party application.

Note
In the ADFS 2.0 Management Console, you can get the URI for the federation metadata as follows: Under the AD FS 2.0\Service folder, click Endpoints. The URI is listed under Metadata. Look for the URI with Type equal to “Federation Metadata.”

Add a Rule Group

In the Windows Azure Management Portal, add a rule group to grant permissions to service bus. To keep the example simple, we will allow any user from the ADFS domain to have read, write, and manage rights.

1. In the Management Portal, click Service Bus.

2. Select your Service Bus namespace, click Access Key, and then click Open ACS Management Portal.

3. Click Rule groups.

4. Click Add.

5. Enter a name, such as “Contoso ADFS Rule Group”.

6. Click Save.

Next, add rules to the rule group.

1. On the Edit Rule Group page, click Add.

2. Set the following values.

   • Output claim type: In the Enter type box, enter “net.windows.servicebus.action”.
     
     
   • Output claim value: In the Enter value box, enter “Manage”.
     
     
   • Description: Enter a description, such as “Manage Service Bus”.
     
     

3. Click Save.

4. Repeat steps 1–3 to add two more rules:

   • Claim type = “net.windows.servicebus.action”, claim value = “Listen”
     
     
   • Claim type = “net.windows.servicebus.action”, Claim value = “Send”
     
     

5. To associate the rule group with your application, click Relying Party Applications.

6. Click Service Bus.

7. Under Authentication Settings, make sure that the ADFS identity provider is selected.

8. Under Rule Groups, select the rule group that you created.

   

Get a SAML Token

To authenticate with ACS, the client application must obtain a claims token from ADFS.

The following code shows how to obtain the token, using Kerberos for authentication.

C#

using Microsoft.IdentityModel.Protocols.WSTrust;
using Microsoft.IdentityModel.Protocols.WSTrust.Bindings;
using Microsoft.ServiceBus;
using Microsoft.ServiceBus.Messaging;
using System;
using System.IdentityModel.Tokens;
using System.Net;
using System.ServiceModel;
using System.ServiceModel.Security;

class Program
{
    public static string GetSamlClaim(Uri tokenRequestUri, Uri kerberosEndpoint)
    {
        using (var trustChannelFactory = new WSTrustChannelFactory(
                new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                new EndpointAddress(kerberosEndpoint)))
        {
            trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
            trustChannelFactory.Credentials.Windows.ClientCredential = 
                CredentialCache.DefaultNetworkCredentials;

            RequestSecurityToken rst = new RequestSecurityToken(
                WSTrust13Constants.RequestTypes.Issue, WSTrust13Constants.KeyTypes.Bearer)
                {
                    AppliesTo = new EndpointAddress(tokenRequestUri),
                    TokenType =  
                        Microsoft.IdentityModel.Tokens.SecurityTokenTypes.Saml11TokenProfile11
                };

            WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
            GenericXmlSecurityToken token = channel.Issue(rst) as GenericXmlSecurityToken;
            return token.TokenXml.OuterXml;
        };
    }

    static void Main(string[] args)
    {
        Uri tokenUri = new Uri("https://contoso-sb.accesscontrol.windows.net/");
        Uri kerberosEndpoint = 
            new Uri("https://yourhostname/adfs/services/trust/13/kerberosmixed");

        string token = GetSamlClaim(tokenUri, kerberosEndpoint);
    }
}

The GetSamlClaim method shown in this example has two input parameters:

• The management endpoint for your Service Bus namespace. For example, if the namespace is “contoso”, the management endpoint is https://contoso-sb.accesscontrol.windows.net. You can find the endpoint URI in the Management Portal. Go to the Service Bus portal, select your Service Bus namespace, and view the namespace properties.
  
  
• The ADFS Kerberos endpoint, which is https://hostname/adfs/services/trust/13/kerberosmixed
  
  

Authenticate Service Bus

Once you have the SAML token, you can use the token to access your Service Bus namespace. The following code shows a simple example of sending and receiving a message on a Service Bus queue.

static void QueueMessage(string token, string serviceNamespace)
{
    string queueName = "myQueue";

    TokenProvider credentials = TokenProvider.CreateSamlTokenProvider(token);
    Uri uri = ServiceBusEnvironment.CreateServiceUri("sb", serviceNamespace, "");
    NamespaceManager manager = new NamespaceManager(uri, credentials);

    QueueDescription myQueue;
    if (manager.QueueExists(queueName))
    {
        myQueue = manager.GetQueue(queueName);
    }
    else
    {
        myQueue = manager.CreateQueue(queueName);
    }

    var factory = MessagingFactory.Create(uri, credentials);
    var queueClient = factory.CreateQueueClient(queueName);

    // Send a message.
    var message = new BrokeredMessage();
    message.Properties.Add("greeting", "hello!");
    queueClient.Send(message);

    // Receive a message
    message = queueClient.Receive(TimeSpan.FromSeconds(5));
    if (message != null)
    {
        Console.WriteLine(message.Properties["greeting"]);
        message.Complete();
    }

    queueClient.Close();
    factory.Close();
}

The TokenProvider.CreateSamlTokenProvider method creates a SamlTokenProvider object, which manages the SAML token.

Authenticating by Security Group

Service Bus defines three claims that grant different permissions:

• Manage: Lets you create and delete Service Bus queues and topics.
  
  
• Send: Lets you send messages.
  
  
• Receive: Lets you receive messages.
  
  

For details, see Service Bus Authentication and Authorization with the Access Control Service.

In the previous sections, we granted all three of the permission types to every user. However, you might want to restrict access to certain users. For example, some users can create or delete queues, so these users have Manage permissions. Other users might have Listen and Send, but not Manage.

Suppose that you created an Active Directory security group named “SBAdmins.” Let’s see how you can restrict Manage permissions to members of this group.

First, add a claim rule in ADFS. This rule will convey the user’s security group to ACS.

1. In ADFS Management Console, select the Trust Relationships/Relying Party Trusts folder.

2. Right-click the relying party trust.

3. Click Edit Claim Rules.

   

4. Click Add Rule.

5. In the Claim rule template dropdown list, select “Send Group Membership as a Claim”.

6. Click Next.

7. In the Add Transform Claim Rule wizard, click Browse and select the SBAdmins security group.

8. Under Outgoing claim type, select Group.

9. In the Outgoing claim value edit box, enter the value “SBAdmins”.

   

Next, update the ADFS rule group in the Windows Azure portal.

1. Go to Rule Groups and click the existing ADFS rule group.

2. Under Rules, click the rule that grants Manage permissions.

3. Under Input Claim Type, select the claim type named “http://schemas.xmlsoap.org/claims/Group” from the dropdown list.

4. Under Input Claim Value, enter the value “SBAdmins”.

5. Click Save.

Now members of the SBAdmins security group have permission to create or delete Service Bus queues. Other users can send or listen, but cannot create or delete queues.

Build Date:

2013-04-18