Access Control Service Sample v3
In a previous post, I wrote about a very simple Access Control Service example that I assembled during our investigation of ACS and the cloud in general. The sample uses the Application_AuthenticateRequest event in global.asax to validate the security using the Geneva framework.
In a follow up post, I modified the example to require no code by using the Geneva provider and the standard ASP.NET authorize configuration.
In this example, I am going to show a couple of different ways to implement an Admin role using ASP.NET and the Geneva provider.
After you get the second sample running correctly, add the following to the end of the web.config file just before the configuration close tag.
<deny users ="*" />
<allow roles ="Admin" />
This config param overrides the main authorization config and restricts access to all files in the admin folder to users in the admin role.
To test this, create a new folder named Admin. Copy Page2.aspx and past into the admin folder. Rename Page2.aspx to default.aspx (in the Admin folder).
Now you need to add your user id to the admin role. There are a few different ways to do this. One way, which *should* work (in other words, I haven't tested it) is to create an ASP.NET role provider, create the Admin role, and add your Live ID to the Admin role.
Geneva also provides a way to achieve this. Paste the following code into global.asax.cs:
WSFederationAuthenticationModule_SessionSecurityTokenCreated(Object sender, SessionSecurityTokenCreatedEventArgs e)
IClaimsIdentity id = (IClaimsIdentity)e.SessionToken.ClaimsPrincipal.Identity;
if (id != null && id.IsAuthenticated && id.Name.EndsWith("@microsoft.com", StringComparison.OrdinalIgnoreCase))
The SessionSecurityTokenCreated event is a new Geneva event that gets called when the token is first created. This code checks a condition - in this case, that the Live ID email is in the microsoft.com domain - and, adds the user to the Admin role if appropriate. Make sure to modify the if condition so that it returns the correct value.
Geneva handles everything from there, including storing the claim in the cookie so that it gets passed from page to page. This allows the developer to simply use the IsInRole() method to determine if a user is in a particular role. ASP.NET uses this method under the covers to authorize access to pages based on the authorization configured in web.config.
Once Active Directory domains get federated with Live ID (or if you use this code to call a different STS), you will get additional claims from the STS. In AD's case, you will get some Group membership claims. It is very simple within the event to map the Group claims to Role claims. This will allow the web developer to use the familiar IsInRole() method vs. having to check the claims.
Using ACS to manage roles
Another way to accomplish this is to use Access Control Service to provide role membership information. When you go to the ACS section on the Azure Services Platform portal, you need to click the Advanced button and the localhost Scope URI so that you can configure roles.
Once on the advanced scope management page, click the Claim Types "tab". You will notice several claim types defined, including UserName, Windows Live ID, Group, etc.
One option is to add users to an Admin group and then use code in the SessionSecurityTokenCreated event to add the user to the role that each group represents.
Another option is to add a Role claim type to ACS. To do this, click the Add Claim Types button.
On the Add Claim Types page, enter Role into the Display Name input box and enter http://schemas.microsoft.com/ws/2008/06/identity/claims/role into the Claim Type input box, then click Save.
You should now see a Role claim type displayed on the Claim Types page.
Next, click on the Rules tab, then click the Add Rule button.
In the Input Claims section, set the type dropdown to Windows Live ID, enter your Windows Live ID into the Value field, and set the Issuer to live.com. You can add as many Windows Live IDs as you wish, just make sure to set the input claims type combo box to Any.
In the Output Claims section, select Role from the Type dropdown, enter Admin into the Value field, and click Save.
Now run the sample, click on the Live ID Login button, login with a Live ID that you added to the Admin role, and you should see the Admin role displayed on the home page. You should also be able to access the pages in the Admin folder.
All without any code!
I didn't mention this in my earlier posts, but this code won't currently run on Azure. It also won't work on shared hosting at GoDaddy. It works great at GoGrid.