ADFS 2.0 By Example – Part2: ADFS and ACS

Table of Contents

  • ADFS and Azure Access Control Service
  • ADFS and Azure Access Control Service

    Part 1 of this article is posted here

    What is ACS?

    Azure Access Control Service (ACS) plays two roles; it is used to authorize access to the Azure Service Bus and Caching, and it also serves as a Federation Provider (R-STS) for your applications on the cloud.

    In the context of this article, I am concerned with the second role: how ACS serves as an R-STS.

    The below sketch shows the conceptual model of ACS in action:

    Just as ADFS was your R-STS (or IP-STS depensing on the context) on premise, ACS is your R-STS on the cloud.

    Note that ADFS is itself one kind of providers that can be trusted by ACS; this will be shows in a separate section.

    ASP.NET and ACS

    In this example, I will show you how to outsource authentication of your ASP.NET application to ACS.

    Step1: Create a Service Bus namespace and get the Access Key

    Navigate to your Azure portal and create a namespace:

    Click on Access Key and copy the Default Key value:

    Step2: Add Identity Providers in the ACS Portal

    The ACS portal address can be reached using the following format:
    So in my case it will be:

    Click on Identity Providers and Click Add:

    As you can see, Windows Live ID is a default IP for ACS. In the next screen you will get to add the IPs that you want. You can add other IPs such as Google and Yahoo! (who rely on OpenID), Facebook (which provides authentication via its Graph API and authorization using OAuth 2.0), and any WS-Federation IP one of which is ADFS. In this case add Google (ADFS will wait for the next section):

    Step3: Create an ASP.NET application in VS 2012

    The steps are the same regardless of whether you are using an MVC or Web Forms application. I will use web forms and will call my application:

    Next right click on the project and fire the good old Identity and Access wizard. Here are the familiar 3 options:

    Note: the approach I am following now will automatically configure the RP in ACS. Another approach is to select “Use a business identity provider (e.g. ADFS2)” in which case you will have to get the federation metadata file URL of ACS from the Application Integration option in ACS portal.

    Once the wizard is completed, the application will be configured as a trusted RP for ACS; as always you can check the updates in web.config and the newly created file \FederationMetadata\2007-06\FederationMetadata.xml.

    Step4: Check ACS configuration

    In the ACS portal click Relying party applications and you will see that the RP is automatically configured via the wizard you ran at step3.

    Next click on Rule groups. Rule groups are the set of rules that ACS shall apply on claims coming from IPs; these rules can transform, copy, and insert additional claims. You can think of Rule groups as the equivalent to claims engine of ADFS in the context of claim manipulation. The default Rule group generated just passes through the claims offered by Live ID and Google to the RP:

    Step5: Run the RP

    Browse to http://localhost/TestACS. You will be presented with the home realm page to select which IP you want to authenticate with:

    Assuming you selected Google, ACS will just pass through Google claims and hand them to your application in a SAML 2.0 token that it trusts (review “What is ACS section?” for a description of the full interaction). Here is the final page:

    Note that each provider issue by default a set of claims; of these claims offered by Google are the nameidentifier and name claims, which is how the RP (actually WIF at the RP) managed to identify my name in the welcome message.

    ACS and ADFS

    In this section, we’ll use ADFS as an IP for ACS.

    Step1: Grab the FederationMetadata.xml file of ADFS

    Since ADFS is installed on my local network, ACS cannot extract ADFS metadata via a URL so we need to give ACS the metadata file in order to set up WS-Federation. Open https://win2012.lab.local/FederationMetadata/2007-06/FederationMetadata.xml in the browser, and save the result XML in a file.

    Step2: Add ADFS as an IP for ACS

    We will continue using the same service bus namespace we used before. So again navigate to

    Add a new Identity Provider and select ADFS:

    Next, you supply the federation metadata XML file you saved in step1:

    Note that we will use the same TestACS application we used in section “ASP.NET and ADFS”.

    Step3: Add ACS as a trusted relying party for ADFS

    As you should know by now, ADFS is an IP for ACS, which makes ACS an RP for ADFS (if that did not make sense, then I failed horribly in this non-ending publication :)).

    So back to ADFS management console and establish a relying party trust with ACS:

    Step4: Configure claim rules

    Now we configure which claims we want ADFS to pass to ACS. For this sample I will simply pass over Active Directory UPN and Email address as claims:

    Step5: Configure Rule Groups for ACS

    Recall that ACS uses Rule Groups to set how claims are passed over to relying applications (ASP.NET application), so we need to configure Rule Groups to handle the new claims to be sent from the new IP (ADFS) the same way we did to handle claims from Live ID and Google.

    So back to ACS portal, and go to the Rule Group we created before for the TestACS application:

    As you can see we already have the rules Live ID and Google from the previous excersice. Now click on Generate and add the claims for the new ADFS IP:

    Now do not get scared! I know that when we configured Claim Rules in ADFS we only configured Email Address and UPN, so what are all these claims? These are all the claims configured for ADFS, but not necessarily all what ACS will get from ADFS. We have told ADFS to pass Email and UPN (the above claims list is a grid with paging, UPN is on another page), and that is what ACS will get.
    Can you see our good old “birthplace” claim? This is the claim we configured long time ago using a SQL Attribute Store, see how it appears here; it’s all adding up, isn’t it?

    Step6: Running the application

    Finally we’re ready to re-run TestACS on localhost and see how the ADFS has been added as an authentication option via ACS.

    First, re-run the Identity and Access wizard to get the updated metadata from ACS, this metadata now shows the new IP:

    Now browse to http://localhost/TestADFS. ACS will give you the new IP as a login option:

    Select “Login using ADFS” and you will find yourself back into ADFS domain to login (recall one more time that we customized this page in a previous demo and we are using forms authentication instead of integrated windows):

    After you login, you will be redirected back to localhost as a logged in user.


    2 thoughts on “ADFS 2.0 By Example – Part2: ADFS and ACS

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s