I want to use ACS as a STS for the service bus. I've managed to use ACS for authentication for a web service. However, the service bus requires a token and I don't know how to retrieve such from the ACS?
In short, I want my client services to be able to use the service bus by authenticating with certificates that matches certificates stored as service identities in the acs (the one corresponding to the service bus -sb).
Also, I'm using NetTcpRelayBinding for the Service Bus.
The tokens you mentioned can be created using the SBAzTool available on code.msdn.microsoft.com: http://code.msdn.microsoft.com/windowsazure/Authorization-SBAzTool-6fd76d93 With this tool you can add extra 'accounts' with token next to the default 'owner'. Now this will work if you use tokens, but I doubt this will help you in using the certificates for authentication.
You might also want to take a look at Clemens' talk a few months ago, he explains in detail how you can start securing your SB with ACS: http://channel9.msdn.com/posts/Securing-Service-Bus-with-ACS
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
Thanks Sandrino for your quick response. However, I've succeeded adding service identities that uses symmetric keys. The problem is certificates. I can create new service identities in acs that uses certificate credentials and use those to authenticate client before using a web service. But I've been unable to authenticate before using the service bus.
What am I missing here...
As far as i know, if you want to add ACS with ServiceBus sample, please add certificate to ACS management portal, refer to the following article for more details:
Then you can check the sample that provided by Azure Team Blog:
Hope it helps.
Thanks Arwind! That helped and I've now managed to retrieve a SAML token from the ACS using client certificate! Next problem is that I get unauthorized error when trying to use the retrieved SAML as credentials for the service bus. And, yes, the service bus is set to use SAML 2.0 as credentials. Maybe I wrongly assume that I can use the retrieved token as credential to the service bus?
Exception when trying to connect to service bus with saml token:
"The token provider was unable to provide a security token while accessing 'https://XXXX-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'Error:Code:401:SubCode:T0:Detail::TraceID:01815c06-97c5-4a02-b0af-9fcf3e49075b:TimeStamp:2012-03-22 13:08:41Z'."
With inner exception: "The remote server returned an error: (401) Unauthorized."
To get the token from ACS I modified this sample:
Two good sources of information:
Service Bus is automatically paired with the ACS namespace and expects SWT tokens. You can only work with the -sb namespace to set up federation for now and the -sb namespace in ACS already has the correct baseline setup with SWT tokens.
- Disarankan sebagai Jawaban oleh clemensv 22 Maret 2012 18:35
Yes, I reached a solution together with MS support. Primary problem with my approach was that I didn't need to retrieve a token from ACS before I connect to the SB. Instead, I create a token by myself and and use that to connect to the SB. Basically, I created a SAML token and signed it with my certificate.
Let me know if you need code sample.
Thanks for your response. I solved the issue by following code from acs\WebServices\Acs2CertificateBindingSample folder which downloadable from http://acs.codeplex.com/.
But if you find time, Pls send me the code. I am interested to get to know the way you solved.
I know this does not have anything in particular to do with Jimmy Carslon's issue but I was getting the same error, it turns out changing my app.config and rebuilding an repackaging azure does not update the configuration files for azure which was what my app was running from.
So if you ever change your issuer secret in app.config check these changes are applied to the azure config files
Hi Jimmy - I'm looking at exactly the same scenario as you were. Namely, I have an on-premises application that has a X.509 client certificate that I'd like to use as credentials to authenticate and use the Service Bus Relay to publish a WCF service's endpoint via NetTcpRelayBinding.
As I understand it, the steps you took were:
1. Added a Service Identity in the Service Bus's buddy -sb namespace and added the X.509 certificate (i.e., .cer) to it.
2. Created a SAML 2 token, signed it with the X.509 certificate's private key and attached the signed SAML token to the TokenProvider before registering the WCF service with the Service Bus. I assume the SAML token had the appropriate set of Service Bus claims added to it (e.g., net.windows.servicebus.action = Listen)?
Would it be possible to get a code sample to show how you did this? Many thanks in advance for your help and advice.
- Diedit oleh Neville J. Parakh 07 Desember 2012 23:44
"Primary problem with my approach was that I didn't need to retrieve a token from ACS before I connect to the SB."
This is interesting, because the SB endpoint would behave like an ordinary https endpoint with client certificate authentication. I'm very interested in this scenario and would like to see the code.
So far, I've only seen clients which were specifically designed to use the Service Bus bindings.