Employees in organizations usually use their organizational credentials to access internal systems. This approach provides the ease to manage users, roles and their access rights, and is more secure than having separate credentials for internal applications. An active directory administrator can control the access of each user centrally.
If the organization has offices across various locations and employees need to access an application across locations, then one way out is to have the application on the cloud. But in this case, how do we store User credentials on the cloud? The solution is to have a Cloud Active Directory.
Windows Azure active directory is a solution for providing identity and access management. It provides a robust set of capabilities for managing users and groups and helps to secure access to on-premises and cloud applications. Single sign-on is used to grant the user access to cloud applications from Windows and other operating systems, including devices. The users of the AD are delegated to important tasks such as resetting passwords.
Windows Azure AD can be extended to integrate with on-premises AD for providing single sign-on for all cloud based applications.
In the following article, we will go through the steps of creating an active directory and configuring single sign-on for ASP.NET MVC applications using organizational authentication.
Note: There is no source code with this article
Step 1: Go to the Windows Azure Management portal using http://manage.windowsazure.com. If you do not have a subscription, get a trial one. Using your azure subscription, login to the portal. Click on the Active Directory link at the portal:
Step 2: The portal has a New button at the bottom. Click on it to select options for creating Active Directory as shown in the following figure:
This step brings up a window where we can enter the Active Directory Name:
Enter the domain name which will be appended with .onmicrosoft.com. This creates an Active Directory which will be displayed in the Active Directory listing on the portal.
Step 3: Once the directory is created we can create users, groups etc. on it. Clicking on the active directory name created in Step 2 will bring up the Active Directory management page:
Click on the Manage Access to create users.
Click on the Add a user link and fill in the user information:
After entering User Name, click on the arrow at the bottom of the window. The next window will help to add the user profile and the Role information of the user:
This Role will be used to manage the application access. Each role has its own features.
Global Administrator: has access to all administrative features. This role has rights to assign administrator roles.
Billing Administrator: has privileges to manage subscription, monitor service health, making purchases etc.
Service Administrator: Manages all services on the subscription.
User Administrator: Has features of resetting password, managing user accounts, manage service health, user groups, etc.
Once the desired role is selected, click on the right arrow which brings up a window where you can provide a temporary password for the user.
When we click the Create button, the following window will be displayed with the password.
We can also select the option to receive the password in plain text format by entering email address in the SEND PASSWORD IN EMAIL textbox.
By following Step 3, we can create additional users for the application.
Configuring ASP.NET MVC application for Single SIGN-ON using Active Directory
In this section we will be using Visual Studio 2013 Community Edition to create an ASP.NET MVC application. VS 2013 provides the option for defining Authentication while creating a MVC project.
Step 1: Open VS2013 and create a new ASP.NET MVC application by selecting template as shown in the following figure:
As shown in the above figure, click on the Change Authentication button.
In this window select Organizational Accounts. Here we need to enter the Active Directory domain name we have created in our previous section along with the Access Level set as Single Sign-On. This selects the App ID URI based on the MVC Application name we provided while creating the MVC project.
Step 2: Once the project is created, open the web.config file of the application and observe how the previous step has added the identityConfiguration for the application as active directory:
<issuerNameRegistry type="AppAD.Utils.DatabaseIssuerNameRegistry, AppAD" />
<add value="https://dncad.onmicrosoft.com/AppAD" />
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<certificateValidation certificateValidationMode="None" />
The Config file adds the following modules for Federation Authentication :
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=18.104.22.168, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=22.214.171.124, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
Step 3: Run the application.
Since this is a first time login using the temporary password, the user needs to change the password:
Once the password is changed, the user can successfully browse the application.
Conclusion: Windows Azure Active Directory provides feature for creating and managing users so that they can use single Sign-On on various cloud based applications. The advantage here is that organizations can use Active Directory and provide application and service access to their employees from Windows or devices.