Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / Hosted-services / Azure

Azure Access Control – Authenticating with Google Account

4.20/5 (3 votes)
3 Oct 2011CPOL5 min read 31K  
Access Control provides an easy way to provide identity and access control to web applications and services, while integrating with standards-based identity providers, including enterprise directories such as Active Directory, and web identities such as Windows Live ID, Google, Yahoo! and Facebook.

Introduction

Generally most of the web applications require some authentication process, and it can use custom or any existing web identity. Here we can authenticate the cloud applications using existing Google account. So, whoever having the Google account, they can login to the cloud application. We need to perform some following steps to complete this sample application.

Step1: Create a service namespace for AppFabric in Azure portal

Step2: Configure ACS (Access Control Services) for Google account relay service

Step3: Create a Cloud project with a Web Role

Step4: Configuring Access Control Services (ACS)

Step5: Configuring the application to use ACS with Federation Authentication 

Step6: Test the application locally 

Step7: Modifying the existing application to deploy into Azure portal

Step8: Modifying the ACS portal settings for production environment 

Step9: Publish the cloud application into Azure portal

Step10: Run the cloud application using DNS URL of the production deployment

Step1: Create a service namespace for AppFabric in Azure portal

Login to Azure portal, with a valid windows live id which having the Azure subscription. From "Hosted Services, Storage Accounts & CDN" section, select AppFabric and click on "New" button from top menu.

Image1.gif

From popup screen, enter an unique namespace (ex: appfabricbyraj), select Access Control, Service Bus and Cache services, and other properties

Image2.gif

Verify the namespace created for Access Control.

Image3.gif

Step2: Configure ACS (Access Control Services) for Google account relay service

Select Namespace for Access Control and click on "Access Control Service" button from top menu. It redirects the page into Access Control Service Portal.

Image4.gif

Access Control Services Home Page:

Image5.gif

Select Identity providers, and click on "Add" button

Image6.gif

Select the Google option from the screen

Image7.gif

Navigate to next screen and leave the default settings, and click on save button. Verify the Google Identity provider added in the ACS portal.

Image8.gif

Step3: Create a Cloud project with a Web Role

After creating the cloud application, the solution explorer will looks like the following image

Image9.gif

Run the application locally without any changes and copy the URL (here it is: http://127.0.0.1:81/ )

Image10.gif

Step4: Configuring Access Control Services (ACS)

Come back to ACS portal and select "Relying party applications" and click on "Add" button.

Image11.gif

From "Add Relying Party Applications" enter name (Ex: raj azure web application) and enter the already copied local application URL http://127.0.0.1:81/ in "Realm" and "Return URL" columns.

Image12.gif

Keep the remaining settings as it is and click on save button and verify "Relying Party Applications" for newly created application.

Image13.gif

Now open "Rule Groups" and click on "Rule Groups" link to edit.

Image14.gif

From the Edit Rule Group page, click on Generate button to generate the Rules.

Image15.gif

Select Google account and finally click on save button to update the changes

Image16.gif

After completion of generate rules, verify the status

Image17.gif

Now copy the WS-Federation Metadata URL from "Application integration" section for future configuration purpose

Image18.gif

Step5: Configuring the application to use ACS with Federation Authentication  

Windows Identity Foundation (WIF) helps .NET developers build claims-aware applications that externalize user authentication from the application, improving developer productivity, enhancing application security, and enabling interoperability.   

Download and Install the “Windows Identity Foundation Runtime” and “SDK” software from the following URLs. Ignore this step, if these softwares already installed on your machine.

Windows Identity Foundation Runtime 

Windows Identity Foundation SDK

Open the Cloud application and "Add STS reference" for WebRole1 project. It opens the Federation Utility wizard.

Image19.gif

In the Federation Utility wizard enter the local application URL http://127.0.0.1:81/ and ignore the warning message.

Image20.gif

Now select the option "Use an existing STS" and paste the Federation Metadata URL which is copied in the step 4 ending. The ideal URL will looks like following...

https://appfabricbyraj.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml

Image21.gif

From the wizard leave the remaining default settings and finish the wizard.

Now change the Web.config file by adding element <httpRuntime requestValidationMode=" 2.0" /> in just above the <authorization> element.

Web.config:

//Only add httpRuntime element

    <httpRuntime requestValidationMode="2.0"/>

    <authorization>
      <deny users="?" />
    </authorization>

...

Step6:Test the application locally

Run the application locally. We can notice that the page will redirects to authorization page and after successful authentication with the option "Google" account, it redirects to the actual home page of the cloud application.

Image22.gif

Google Account Login Page:

Image23.gif

Click on Allow button:

Image24.gif

Local Application Home Page:

Image25.gif

Step7: Modifying the existing application to deploy into Azure portal

Add reference "Microsoft.IdentityModel" to WebRole1 project and select properties of that component. .

Image26.gif

Change the property settings for "Copy Local" to true and "Specific Version" to false

Image27.gif

Replace the local URL (http://127.0.0.1:81/) with Production URL in web.config file. The production URL must be in the following format.

URL: <http / https> ://< Production DNS>.cloudapp.net/

Ex: http://azurebyraj.cloudapp.net/

We can get the Production DNS from Azure portal, Hosting services properties.

Image28.gif

Image29.gif

Web.config:

<audienceUris>
    <!--<add value="http://127.0.0.1:81/" />-->
    <add value="http://azurebyraj.cloudapp.net/" />
 </audienceUris>

 <federatedAuthentication>

    <wsFederation passiveRedirectEnabled="true" issuer="https://appfabricbyraj.accesscontrol.windows.net/v2/wsfederation"
            realm="http://azurebyraj.cloudapp.net/" requireHttps="false" />

    <cookieHandler requireSsl="false" />
  </federatedAuthentication>

Step8: Modifying the ACS portal settings for production environment 

Navigate to ACS portal, and Edit the "Relay party applications" section with production URL and save the changes.

Image30.gif

Image31.gif

Step9: Publish the cloud application into Azure portal

Create the packages from Visual Studio 2010, and upload them into Azure portal. Please refer any of the article, example: Create and Deploy Windows Azure Applicationto know how to publish the cloud project.

Note: Here I used production deployment, because fixed DNS, whereas for staging deployment it generates the GUID prefix and is trouble in configuring the URL.

Image32.gif

Verify the application URL using application properties

Image33.gif

Step10: Run the cloud application using DNS URL of the azure portal

The application automatically redirects to Google Account Home Page 

Image34.gif

Enter the Google account credentials; we can use Gmail credentials here.

Image35.gif

Verify the application running from Azure portal

Image36.gif

Reference 

Referred the article from MSDN

History

Initial draft

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)