Windows Azure Platform Developer Center >
Azure Forums
>
AppFabric
>
Does ACS support Live Id active mode in March CTP?
Does ACS support Live Id active mode in March CTP?
- I have read that Dec2008 CTP didn't support it. Does new CTP implement this feature?
More specifically, my question is related to Service Bus. I want to filter requests by WLID claim.
All Replies
- Hello, you can refer to http://social.msdn.microsoft.com/Forums/en-US/netservices/thread/75f8af65-6a6b-4832-b6c4-d2f050b5a08e for a sample on how to use Geneva, Live ID, and ACS together.
Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights. Several people confirmed that you don't have access to the certificate store in Azure (nor to loading .pfx files) - how is this sample you posted supposed to work then???
Dominick Baier | thinktecture | http://www.leastprivilege.com- Well, I think the OP didn't mention he's hosting the service in Windows Azure... Yes, currently ACS doesn't work fine with Windows Azure. The teams are working together to see if we can support this scenario in the future.
Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights. Yes you are right - my fault.
What the OP mentioned is Live ID via WS-Trust. Is that supported now?
Dominick Baier | thinktecture | http://www.leastprivilege.com- Actually Live ID has been supported WS-Trust for a while. But without a framework, you have to manually construct the SOAP envelop, which takes a lot of work. See http://social.msdn.microsoft.com/Forums/en-US/liveframework/thread/f386176c-7a73-4a94-972c-becb8ff75bde/ for more information.
Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights. - Actually, I was asking about a bit different thing. In the link you have provided, ACS with Live Id is used in passive, WS-Security mode. My intension is to use ACS with Live Id in active, WS-Trust mode.
I have tried to experiment with ACS and Live Id using WS-Trust and my experiment failed. In my opinion, the reason is that Live Id supports only WS-Trust Feb2005, and ACS supports only WS-Trust 1.3. However, using ACS to convert tokens from other 1.3 compatible issuers works fine.
Here is a description of my experiments:
1) username -> Live Id token -> ACS token
- I use WSTrustClient from Geneva to make a request to Live Id token and use http://solutionname.accesscontrol.windows.net/issued_for_certificate in appliesTo.
- Live Id returns Feb2005 token
- I use WSTrustClient to submit this token to ACS and use http://solutionname.accesscontrol.windows.net/issued_for_certificate as an issuer.
- ACS returns me an error, stating that security validation of the message is failed.
- I use WSTrustClient from Geneva to make a request to ACS token and use http://solutionname.accesscontrol.windows.net/issued_for_certificate in appliesTo.
- ACS returns 1.3 token
- I use WSTrustClient to submit this token to ACS and use http://solutionname.accesscontrol.windows.net/issued_for_certificate as an issuer.
- ACS converts this token successfully and returns a new token
- Dominick,
The problem with certificate can be solved, however, not in a very elegant way. You either can build a certificate (with private key) from a hardcoded string, or from a file with certificate linked to the project. There are some other problems with cookies, but they can be solved too.
You can look at the possible solution Matias Woloski's blog (with code sample inside). Unfortunately, this link doesn't work at the moment dut to a some reason, but you can search for Windows Azure working with Geneva Framework and find cached results. - Well - thats what i tried. See also here:
http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/44281721-dc67-4cd0-8ec3-397966e03812/
Have you tried Matias approach (actually on Azure - not in the dev fabric) ?
Dominick Baier | thinktecture | http://www.leastprivilege.com - I have tried to load certificates from hardcoded strings and it worked fine. Unfortunately, I haven't tried this on Azure yet, but at the moment I don't see any reason why it should not work.
By the way, I have seen in your blog that you played with federating with ACS . Have you had a chance to use Live Id as an identity provider for ACS? - Well it doesn't (at least not with the certs I tried). Maybe there is a reason Matias' post is gone.
ACS: yes.
Dominick Baier | thinktecture | http://www.leastprivilege.com - Interesting... I'll try it myself and report my results a bit later.
What about ACS and LiveId, can you clarify how did you overcome this WS-Trust versions mismatch? It will be great if you can share a sample code of this LiveId-ACS integration. - Well, regarding the certificate, it seems you are right. "The system cannot find the file specified", even if I am reading from xml string.
P.S. The question about ACS and Live Id integration in active mode is still open. McSimm, did your question regarding ACS and Live Id integration in active mode ever get resolved? Did you find a work around?
Thanks- Hi Joe,
Unfortunately, not yet. I have found a workaround for my particular problem but it is not related to Live Id and ACS at the moment.
