In Chapter 4, Cloud-based Identity with Access Control Service, we have learned how identity and access control implementation can totally be isolated from the actual application code and can be delegated to a cloud-based service, for example, Windows Azure ACS 2.0. A very realistic possibility is a scenario, which is just the opposite of what we encountered in Chapter 4, Cloud-based Identity with Access Control Service. It is quite possible that you have applications hosted in a cloud environment, for example, Windows Azure and want your Active Directory users to have a Single Sign-On experience while accessing the external applications hosted in cloud. The following diagram illustrates this scenario:
In this recipe, we will take a look at the steps of configuring AD FS 2.0 as a trusted identity provider for a Windows Azure hosted application.
Following are the prerequisites:
DSInit
command line tool.)To implement the identity with AD FS 2.0 for the applications hosted on Windows Azure, perform the following steps:
WebRole1
properties, add the domain/self-signed certificate that you created for AD FS 2.0 in the previous chapter, under the Certificates section:127.0.0.1 adfsweb.domain.com
CloudHostedApplication
project. Note the application URL including the generated port. Web.config
file of the WebRole1
web application project under the Application configuration location section and specify the CloudHostedApplication
web application secure URL in the Application URI dropdown list, as shown in the following screenshot: CloudHostedApplication
web application (refer to Chapter 5, Identity Management with Active Directory Federation Services, for the detailed steps). You have now successfully set up AD FS 2.0 as a trusted identity provider for the Windows Azure Web Role instance.The federation utility creates a FederationMetadata
folder in the WebRole1
project, once the trust is successfully established. Run the CloudHostedApplication
project and you will be redirected to the federation server for authentication. After successful authentication, you will be signed-in.
The steps executed in this recipe ensure that the Azure Web Role instance works correctly with AD FS 2.0 in the Development Fabric. However, once the application is ready to be deployed in Azure the following changes are required for it to work correctly with the federation server instance:
Web.config
file with the actual address of the application. FederationMetadata.xml
file to replace the Development Fabric URL with the actual address of the application.