Identifiying the user / custom IP / configuring the federation at runtime

Question

Hello everyone!

I want to integrate authentication using Azure ACS in our Azure application. Currently we simply store a username/password combination in the database, authenticate with a WCF SOAP service using a UserNamePasswordValidator, and let the user fill in his credentials in a forms page inside our Silverlight application. But moving towards ASP.NET MVC 4 hosting, additionally ASP.NET Web API services and the demand to offer single sign on using the active directory, we see urge to work on this.

I already managed to get basic authentication working using some tutorials on the internet. I added the Azure ACS STS to my project, added our project as a Relying Party Application and added Live as an Identity Provider. Now I automatically get authenticated using my Live login, and I get an obscure identification value in the nameidentifier-claim. But from here I'm clueless and unsure how to go on. Ultimately we need to be able to use our existing created users in the database.

First problem would be: How do I identify the users? So I got this cool unique nameidentifier. But how can I now connect this to my user? My first thoughts are to add a custom ClaimsAuthenticationManager. Here I retrieve the nameidentifier, look up the database if this nameidentifier is connected to any user (User 1:n NameIdentifier) and return a custom ClaimsPrincipal containing my an data object with the user information. In order to connect the nameidentifier to a user, I'd always redirect to a special identification-page, where the (with ACS) authenticated user can enter their application username and password, attaching the nameidentifier to the user. Is this a good approach, or are there any other suggestions?

Additionally to a Live / ADFS identity provider I'd need to offer a fallback solution, by letting the user just enter their username and password. Can I somehow do this just having a formular in my web application? Or do I need to write a new identity provider? For the second case, can I integrate this into my existing MVC 4 project? Information, suggestions and articles are most welcome!

Due to special needs every customer has their own database and their own deployment. Some of them also have their own active directory, some not. Therefor I'd need to have different Relying Party Applications and different Identity Provider. But how would I set up which Relying Party Application this currently is? I obviously can't change the the web.config at run time, so I need to have a way to set this up by code at run time. All customer related settings are stored in the ServiceConfiguration file.

When I have multiple Identity Provider, does the user still authenticate automatically, when he is logged in in any of those?

At the end we want to use this authentication in our normal ASP.NET MVC 4 web project, in a legacy SOAP service, in a ASP.NET WebAPI, using normal MVC 4 applications, Silverlight (inside browser and out of browser), Windows Phone 7 and Javascript clients.

I hope someone can enlighten and help me a bit. :)

Answer 1

Hi,

According to your description, here i list the questions from you:

About "First problem would be: How do I identify the users? So I got this cool unique nameidentifier. But how can I now connect this to my user?", i am not sure which authentication you want in the application, Windows live or database, if you enable the Windows Live as the identity provider in ACS, customer will get a Windows live token from live account and send it to ACS, ACS will check this Token and give a response to users, if live info is OK, user can pass the authentication and login. It's not related to the user table in databse, if you want to enable database as the authentication method (perhaps u have a User table and store users' basic info, such as username/password). Please try to create a custom identity provider and redirect the requsets to your own STS, the STS will conncet to on-premise database to authenticate users. I think you do not need combine Live ID authentication and tranditional username/password authentication together.

About "Can I somehow do this just having a formular in my web application? Or do I need to write a new identity provider? ". Yes please try to create your own Identity Provider and STS as i was mentioned above.

About "Some of them also have their own active directory, some not. Therefor I'd need to have different Relying Party Applications and different Identity Provider. But how would I set up which Relying Party Application this currently is?" If you have different Relying-Party applications and want to user the same Identity Provider, please add these identity provider to all Relying-party applications your want, if one RP has multiple identity providers, users can choose one of them for Authentication.

Please refer to these articles for more details:

http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_WindowsAzureAndPassiveFederation2010

http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_ACSV2Federation

About "At the end we want to use this authentication in our normal ASP.NET MVC 4 web project, in a legacy SOAP service, in a ASP.NET WebAPI, using normal MVC 4 applications, Silverlight (inside browser and out of browser), Windows Phone 7 and Javascript clients." i think ACS can works with all of these clients.

Hope this helps.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 2

Hello Arwind,

"i am not sure which authentication you want in the application, Windows live or database, if you enable the Windows Live as the identity provider in ACS, customer will get a Windows live token from live account and send it to ACS, ACS will check this Token and give a response to users, if live info is OK, user can pass the authentication and login. It's not related to the user table in databse, if you want to enable database as the authentication method (perhaps u have a User table and store users' basic info, such as username/password). Please try to create a custom identity provider and redirect the requsets to your own STS, the STS will conncet to on-premise database to authenticate users. I think you do not need combine Live ID authentication and tranditional username/password authentication together."
We have users stored in our database, and we need these database information throughout our service. So the ultimate fallback must be forms authentication. But the application is also used in enterprise segment, where we want to offer single sign on using the local active directory (using ADFS). But these active directory user must then be mapped to our database user, which is the point of my first question. Continuing the thought it would be nice to offer additional authentication methods like Live or Google, so if a user is already authenticated with Live, he doesn't has to enter his credentials for our system anymore. But again here we need to connect these Live / Google accounts with our local database users.

"Yes please try to create your own Identity Provider and STS as i was mentioned above."
I have to create an STS too? Isn't Azure ACS the STS, that would use my IP?

"If you have different Relying-Party applications and want to user the same Identity Provider, please add these identity provider to all Relying-party applications your want, if one RP has multiple identity providers, users can choose one of them for Authentication."
The question is how do I set up the used Relying-Party application using code? The web.config is always the same for every user, only the ServiceConfiguration changes.

I'd also like to clarify my question "When I have multiple Identity Provider, does the user still authenticate automatically, when he is logged in in any of those?".
When I offer multiple Identity Providers, and the user is already authenticated with Windows Live, does he still has to choose the identity provider he wants to use?If yes, is there a way to avoid this?

Answer 3

Hello Martin,

OK, i understand your question, you want to combine these two authentication together, Windows Live or Google are used to users and database authentication user roles,  i think your can set the Relying-party application's Return Url to a special page, this page used to get GUID information (Windows Live account) or email address (Google account) and sent these message compare with database's information. If match, let user login. If so, you do not need a custom identity provider and STS.

For set up Relying-Party application using code, please refer to ACS management api, these Apis could help you create RPs or IDPs in ACS portal via code. More details please check:

http://msdn.microsoft.com/en-us/library/windowsazure/hh278947.aspx

http://msdn.microsoft.com/en-us/library/windowsazure/gg185917.aspx

About "When I offer multiple Identity Providers, and the user is already authenticated with Windows Live, does he still has to choose the identity provider he wants to use?If yes, is there a way to avoid this?"

No, if you have multiple identity providers, if a user is authenticated by Windows Live already, he do not need enter other IDPs, that's why i suggest you create a special page that for the next authentication (user role authentication).

Help this helps.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework