Securing ASP.NET MVC applications using Windows Azure Active Directory

Posted by: Mahesh Sabnis , on 4/27/2015, in Category Microsoft Azure
Views: 31274
Abstract: Create an active directory on Windows Azure and configure single sign-on for ASP.NET MVC applications using organizational authentication.

Employees in organizations usually use their organizational credentials to access internal systems. This approach provides the ease to manage users, roles and their access rights, and is more secure than having separate credentials for internal applications. An active directory administrator can control the access of each user centrally.

If the organization has offices across various locations and employees need to access an application across locations, then one way out is to have the application on the cloud. But in this case, how do we store User credentials on the cloud? The solution is to have a Cloud Active Directory.

Windows Azure active directory is a solution for providing identity and access management. It provides a robust set of capabilities for managing users and groups and helps to secure access to on-premises and cloud applications. Single sign-on is used to grant the user access to cloud applications from Windows and other operating systems, including devices. The users of the AD are delegated to important tasks such as resetting passwords.

 

 

Windows Azure AD can be extended to integrate with on-premises AD for providing single sign-on for all cloud based applications.

In the following article, we will go through the steps of creating an active directory and configuring single sign-on for ASP.NET MVC applications using organizational authentication.

Note: There is no source code with this article

Step 1: Go to the Windows Azure Management portal using http://manage.windowsazure.com. If you do not have a subscription, get a trial one. Using your azure subscription, login to the portal. Click on the Active Directory link at the portal:

azure-active-directory

Step 2: The portal has a New button at the bottom. Click on it to select options for creating Active Directory as shown in the following figure:

create-active-dir

This step brings up a window where we can enter the Active Directory Name:

active-directory-add

Enter the domain name which will be appended with .onmicrosoft.com. This creates an Active Directory which will be displayed in the Active Directory listing on the portal.

Step 3: Once the directory is created we can create users, groups etc. on it. Clicking on the active directory name created in Step 2 will bring up the Active Directory management page:

azure-active-manage

Click on the Manage Access to create users.

adduser

Click on the Add a user link and fill in the user information:

user1

After entering User Name, click on the arrow at the bottom of the window. The next window will help to add the user profile and the Role information of the user:

user1_1

This Role will be used to manage the application access. Each role has its own features.

Global Administrator: has access to all administrative features. This role has rights to assign administrator roles.

Billing Administrator: has privileges to manage subscription, monitor service health, making purchases etc.

Service Administrator: Manages all services on the subscription.

User Administrator: Has features of resetting password, managing user accounts, manage service health, user groups, etc.

Once the desired role is selected, click on the right arrow which brings up a window where you can provide a temporary password for the user.

user1_2

When we click the Create button, the following window will be displayed with the password.

user1_3

We can also select the option to receive the password in plain text format by entering email address in the SEND PASSWORD IN EMAIL textbox.

By following Step 3, we can create additional users for the application.

Configuring ASP.NET MVC application for Single SIGN-ON using Active Directory

In this section we will be using Visual Studio 2013 Community Edition to create an ASP.NET MVC application. VS 2013 provides the option for defining Authentication while creating a MVC project.

Step 1: Open VS2013 and create a new ASP.NET MVC application by selecting template as shown in the following figure:

project

As shown in the above figure, click on the Change Authentication button.

sso

In this window select Organizational Accounts. Here we need to enter the Active Directory domain name we have created in our previous section along with the Access Level set as Single Sign-On. This selects the App ID URI based on the MVC Application name we provided while creating the MVC project.

Step 2: Once the project is created, open the web.config file of the application and observe how the previous step has added the identityConfiguration for the application as active directory:

<system.identityModel>
<identityConfiguration>
  <issuerNameRegistry type="AppAD.Utils.DatabaseIssuerNameRegistry, AppAD" />
  <audienceUris>
    <add value="https://dncad.onmicrosoft.com/AppAD" />
  </audienceUris>
  <securityTokenHandlers>
    <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </securityTokenHandlers>
  <certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>

The Config file adds the following modules for Federation Authentication :

<system.webServer>
<modules>
  <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>

Step 3: Run the application.

signin

Since this is a first time login using the temporary password, the user needs to change the password:

change-pwd

Once the password is changed, the user can successfully browse the application.

single-signon-login

Conclusion: Windows Azure Active Directory provides feature for creating and managing users so that they can use single Sign-On on various cloud based applications. The advantage here is that organizations can use Active Directory and provide application and service access to their employees from Windows or devices.

This article has been editorially reviewed by Suprotim Agarwal.

Absolutely Awesome Book on C# and .NET

C# and .NET have been around for a very long time, but their constant growth means there’s always more to learn.

We at DotNetCurry are very excited to announce The Absolutely Awesome Book on C# and .NET. This is a 500 pages concise technical eBook available in PDF, ePub (iPad), and Mobi (Kindle).

Organized around concepts, this Book aims to provide a concise, yet solid foundation in C# and .NET, covering C# 6.0, C# 7.0 and .NET Core, with chapters on the latest .NET Core 3.0, .NET Standard and C# 8.0 (final release) too. Use these concepts to deepen your existing knowledge of C# and .NET, to have a solid grasp of the latest in C# and .NET OR to crack your next .NET Interview.

Click here to Explore the Table of Contents or Download Sample Chapters!

What Others Are Reading!
Was this article worth reading? Share it with fellow developers too. Thanks!
Share on LinkedIn
Share on Google+

Author
Mahesh Sabnis is a DotNetCurry author and a Microsoft MVP having over two decades of experience in IT education and development. He is a Microsoft Certified Trainer (MCT) since 2005 and has conducted various Corporate Training programs for .NET Technologies (all versions), and Front-end technologies like Angular and React. Follow him on twitter @maheshdotnet or connect with him on LinkedIn


Page copy protected against web site content infringement 	by Copyscape




Feedback - Leave us some adulation, criticism and everything in between!
Comment posted by Mike on Friday, May 29, 2015 4:36 PM
Thanks, good article.  I'd like to find out some more details about the logged in user within the web app.  For example, their role, or any info from the various fields within the Azure AD user edit (ie: Profile, Work Info tabs).  
Any tips on how I can access these fields to add features to my web app?  

Thanks again for the nice post!