Open Windows Azure Portal and select “Service Bus, Access Control & Caching” option to create new Access Control namespace.

image

 

image

After create new namespace you can configure Access Control Service, creating new relaying party application.

image

Select providers for you relaying party. Azure Multi Application use Google Provider. If you show providers details, you can configure relaying parties. Be sure only google provider is available for your application.

image

Create relaying party. Set Realm and return URI. It must be your hosted service URI.

image

Create default rules for Google Provider, selecting “generate” button.

image

After create default rule you must create new rule. This new rule is needed to authorize users. Only users from Admins role are authorized.

In “Input claim type” select emailaddress type. In the input claim value select your google email. (mymail@gmail.com)

In “Output claim type” select role type. In the outout claim value select “Admins”.

image

Access Control is yet configure! Now , you have to change web application config to include namespace info.

Replace [namespace] with your Access Control namespace name.

Replace [hostedservicename] with you Hosted Service Name.

Replace [thumbprint] with your X.509 certificate thumbprint. This value is into “certificate and keys” section.

<microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="http://[hostedservicename].cloudapp.net:81" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://[namespace].accesscontrol.windows.net/v2/wsfederation"
                      realm="http://[hostedservicename].cloudapp.net:81"
                      requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <!--Following are the claims offered by STS 'https://[namespace].accesscontrol.windows.net/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
          <!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />-->
          <!--<claimType type="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" optional="true" />-->
        </claimTypeRequired>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="[thumbprint]" name="https://[namespace].accesscontrol.windows.net/" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>

Last edited Sep 8, 2011 at 9:13 PM by ibonilm, version 3

Comments

No comments yet.