Recently I’ve been looking at ways to build in Windows Azure Active Directory support into our applications. For those of you that haven’t been following the latest trends in identity Microsoft has supplied a freemium model called Windows Azure Active Directory (WAAD) which allows the integration of AD functionality for you Windows Azure or non-Windows Azure applications. I use the term freemium because they have recently announced that there is no charge for the use of AD transactions for your users. The pricing for additional services such as Rights Management have yet to be announced since WAAD is still in preview.
There are many architectural paradigms available when attempting to integrate WAAD authentication for a web site but it’s still virgin in its outlook and tooling. There are some tools available including a library released by the identity team called AAL and available nuget. I decided to write a series of 3 posts on WAAD including architectural patterns and talking through a new helper library I’ve made to aid in the integration with web applications.
In this first piece I’m going to talk through how to set up WAAD and some of the architectural patterns you can use within your application. It will containsome powershell but little code whereas part 2 will contain a lot of code and a reference to Elastacloud.Azure.ActiveDirectory which will be hosted on Github shortly and available through nuget.
There are many gotchas when trying to use WAAD. As my colleagues tell me, I’m an exception magnet so I hope some of this information will be useful to you if you come across some of the blockers that I have whilst trying to integrate WAAD into a Web Principal workflow. A lot of the information I’m writing here is on Vittorio Bertocci’s blog although not the traps that you can fall in!
This article will show you you how to setup a new Active Directory tenant from scratch. I’ve done this and been able to integrate this into my application through Access Control Services (ACS) and also consume the WAAD Graph API which gives access to all objects in the AD via REST and OData. I’ve had problems using our existing Office 365 account which I have been able to use for Single Sign On via ACS federation but not to consume the Graph API. Later on I’ll explain why I think this is so.
To get started you’ll have to navigate to http://g.microsoftonline.com/0AX00en/5 which is the sign up link for new AD tenants. Follow the wizard and create a new domain and within minutes you’re setup. If everything goes as planned you should be able to login with your newly created domain address (me@mydomain.onmicrosoft.com) and access the AD. From the portal you should be able to manipulate users and groups as in the image below.
The WAAD portal
So now that you have a WAAD tenant you need to be able to do something with it. There are two activities which you would need to do to have comprehensive usage of WAAD within your applications. We’ll focus on being able to sign in first to our relying party (RP) application. In order to do this we must allow our application to connect to ACS so that our web application is aware of ACS and ACS is also aware of our web application. Before configuring ACS we need a way that ACS and our Active Directory tenant can be aware of each other.
For this we’ll need to download the Office 365 CmdLets and Sign In helper.
First install the sign in helper from here:
http://go.microsoft.com/fwlink/p/?linkid=236300
Then download and install the CmdLets from here:
http://go.microsoft.com/fwlink/p/?linkid=236297
There are lots of articles floating around the internet with redundant versions which can cause problems so if you click on the “Integration” link your Active Directory portal you can be assured to be using the latest. Some of the Service Principal activity you’ll need to provision the roles for the Graph API will not be present in earlier versions of the CmdLets so be weary here. Once you’re downloaded and installed fire up powershell from the desktop or start menu icon. To connect to your WAAD tenant use the following and enter your onmicrosoft.com login at the prompt.
Connect-MsolService |
By default only the Office CmdLets are imported as a module so enter this at the prompt to enable access to CmdLets which allow the management of Service Principals.
Import-Module MSOnlineExtended -Force |
We can then register a new address for our RP application:
$replyUrl = New-MsolServicePrincipalAddresses –Address "https://localhost:9090" |
And then setup our Service Principal:
New-MsolServicePrincipal –ServicePrincipalNames @(“https://localhost:9090”) -DisplayName "Cloudzync ACS Namespace" -Addresses $replyUrl |
I’ve just left the principal display name as the application reply to address but this can be customised as needed.
It’s worth noting that at this point there is a symmetric key which is generated for the principal. This will not be displayed again so make a note of this! If you don’t you’ll have to regenerate it. To check that the Service Principal exists we can look at the default application principals and the service principals should be at the bottom of the list (they are the ones that have Trusted for Delegation marked as false!)
Get-MsolServicePrincipal |
Checking a Service Principal
As you can see each one has an AppPrincipalId which is how we’ll refer to them from now. The other thing that we’ll do is to look at how we can generate the credentials (sym key) again if we didn’t make a note of it.
To get the key(s) back you can use the following:
Get-MsolServicePrincipal -ServicePrincipalName http://localhost:9090 |
you can see in the image below that I have two keys for this principal. I can automatically generate a second using the New-MsolServicePrincipal credential and remove ones using the Remove-MsolServicePrincipalCredential. This is great if you have an enterprise key rotation policy in place.
Checking Service Principal Credentials
Now that the Service Principal (SP) has been created we’re half way done. In order to enable Single Sign In we need to setup a namespace in ACS. You will have to do this through the old Windows Azure portal. If you’re new to Azure if you login to the new portal you can get a link from you profile on the top right of the screen. Got to the Cache, Access Control and Service Bus option and create a new ACS namespace. In future you can just navigate to the management endpoint for ACS @ https://mynamespace.accesscontrol.windows.net.
When you’ve logged into ACS you need to set up a new ws-federation Identity Provider to allow you to set up the single sign in with your application. We won’t through the setup steps here for ACS here because they are very well documented on windowsazure.com but you need 3 things to enable you federate and sign in with your web application (RP).
- An identity provider
- A Relying Party
- A rule group
The first one you can setup by going through a wizard which will allow you to create the iDP using a ws-federation document. You can follow the iDP wizard entering the following URL as per the image below:
https://accounts.accesscontrol.windows.net/mydomain.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
Where mydomain is the WAAD domain you setup earlier. It’s important to note that accounts is a special namespace if you mistake this for your own namespace and you try and sign to your RP when you’ve followed the setup steps you’ll see the following error:
“ACS50001
400
Requested relying party realm ‘<Realm URL>’ is unknown.
There was a mismatch between the AppliesTo given in the token request and the realms you have configured in ACS. Check that: 1. Your relying party has its realm configured correctly. You can do this through the Management Portal or using the Management Service, by looking at your RelyingParty.RelyingPartyAddresses entries. 2. Your relying party has been associated with the identity provider. You can also do this from the Management Portal or using the Management Service, by looking at your RelyingPartyIdentityProviders entries.”
Identity Provider in ACS
This is it you’re now ready for Single Sign in your application by using the “Identity and Access” extension in VS2012 and entering the realm (can be anything unique). Above you can see that this is https://sts.windows.net/{guid} and is how you uniquely identify the new WAAD iDP from your application. This value also comes through as a claim in your RP so to convert this to something meaningful you’ll need to index and lookup this especially if you’re using multiple WAAD tenants with your web application.
Identity and Access
For those of you that are still using VS 2010 you can just right-click on your web project and add STS reference. From the dialog I can then choose to select which iDPs I want to import and the relevant metadata is imported. If I have more than one I’ll get a default menu allowing me to choose who I want to authenticate with.
Active Directory Patterns
In the above image we can see the possible patterns we can put in place with WAAD. The WAAD tenant can be central to authentication and can can federate with ACS and an AD within a corporate network. In this instance it will need to use a feature call DirSync, which we’ll look at in a later post to sync accounts between on premises and cloud OR both the corporate AD (through ADFS) and WAAD can federate directly to the RP application through ACS.
In the following post we’ll looking at how to build applications using the Active Directory Graph API and the post after that how to integrate and build custom principals through the web to take advantage of all of the above. This setup process is relatively problem free if you can avoid the one pitfall I walked into and highlighted. When we look at the Graph API we’ll consider how our application should be designed to leverage it.
Happy trails and enjoy playing with WAAD. After all it’s free!
Update: Some excellent investigative work by Lauri Kotilainen showed that the {guid}/graph.windows.net@tenantdomain was failing resolution because the prefix was not set as a ServicePrincipal name for the WAAD tenant (Microsoft.Azure.ActiveDirectory). See script here to update the SP name collection for the tenant https://gist.github.com/4338524. This will make Office 365 accessible to the Graph API.
Great article!
“I’ve had problems using our existing Office 365 account which I have been able to use for Single Sign On via ACS federation but not to consume the Graph API. Later on I’ll explain why I think this is so.”
Same issue here – SSO is working, but Graph API isn’t. I’m struggling to find the “later on” part that is mentioned. Clues very welcome!
Hi Nick,
Thanks for picking up on that! I tried every permutation I could think of. I’ve sent an email to Vittorio Bertocci so hopefully he can shed some light on this. I had a view which may be wrong … I think this may be something to do with the age of the O365 account and an extra step which older ones don’t go through on setup (but I may be jumping to conclusions) as this needs to add metadata to the reserved ACS accounts namespace.
Anyway, I’ll ping you when I hear back from Vittorio and will also update the post.
All the best,
Richard
Nick found my writings on using the Graph API and described the problem to me, and after some trial and error I was able to cook up a fix:
http://blog.rytmis.net/2012/12/windows-azure-active-directory-using_19.html
My hypothesis is that the Service Principal Name used by the Graph API to identify itself to the Office 365 WAAD tenant is different from the initial Office 365 configuration, which leads to these errors.
Nice one! I just tried and it worked first time. Your idea makes a lot of sense I didn’t think of correlating the service principal name with the graph uri format at the time. Using the graph, directory and directoryapi endpoints seems to work for me, then the realm was instantly recognised. I had auth failures until I added directory_s1 endpoint to the SP name collection.
Great article, important to note the comment about following the “Integration” link as the link provided here to the CmdLets already is changed.
As a note, I had to add a serviceprincipal for my ACS namespace as well:
PS Z:\> $replyUrl = New-MsolServicePrincipalAddresses -Address “https://mytest-acs-test.accesscontrol.windows.net/”
PS Z:\> New-MsolServicePrincipal -ServicePrincipalNames @(“https://mytest-acs-test.accesscontrol.windows.net/”) -DisplayName “My test AD ACS Namespace” -Addresses $replyUrl
Also worthwhile mentioning that after adding an identity provider, one must also edit the rules under “Rule Groups” as the IP isn’t added automatically and one will get the “No claims generated” error, it by default is added to the “Relaying party Applications”, but it’s easy to overlook the rule groups.
Hi Ove,
Thanks for the positive feedback and clarifications. Yes, unfortunately the Msol CmdLets are a moving target. When I wrote this post I used an old version of the CmdLets and couldn’t elevate to authorise access for the graph because reserved role values for ServicePrincipals were not available in my version from August.
As far as ACS goes yes you’re right. I didn’t want to go into the ACS part and assumed familiarity as this post is really a preliminary for the next two which show how to use the graph and custom web principals to make enterprise-ready apps.
Thanks for pointing out that claims generation is not implicit and one has to generate them. You are right this maybe confusing to new users of ACS.
All the best,
Richard
Richard,
Thanks to some help from Lauri Kotilainen, I now have my application accessing the Office 365 WAAD just fine. The gory details of the steps involved are in the comments at the end of the article here: http://blog.rytmis.net/2012/12/windows-azure-active-directory-querying.html
The specific “light bulb moment” is reflected here: https://gist.github.com/4338524
After executing that against my tenant, Lauri’s code worked just fine. So, it does appear to be something missing/different in [older] Office 365 WAAD configurations.
Maybe worth running that past Vittorio.
Cheers, Nick
[...] we’re not the only ones with this problem, so let’s hope this helps save someone else the [...]
[...] you enter your credentials (AppPrincipalId and SymmetricKey from the previous post) you added earlier you’ll be greeted with the following error because the ServicePrincipal we [...]
[...] a couple of things. We’ll need to wire up single sign in through ACS which you can read about here. We’ll also need to create a custom principal from a ClaimsPrincipal which is returned [...]
Hi. I’ve followed this and it works as far as authentication against our O365 users, but I then get redirected to:
https://accounts.accesscontrol.windows.net/{guid}/wsfed
And get the following message:
ACS50011: The requested reply address ‘https://{namespace}.accesscontrol.windows.net/v2/wsfederation’ does not match any configured reply addresses
Any suggestions where I’ve gone wrong?
Yeah. This looks like a misconfiguration issue. Check that the realm in acs and your SP match and that you have a reply to configured. If you want to email me the config happy to take a look.
Neil, you might also want to note that the service endpoint addresses changed in a recent update (announcement here: http://social.msdn.microsoft.com/Forums/en-US/WindowsAzureAD/threads?announcementId=1ec9c47e-197b-4108-89e3-0c62c8e7f49d#1ec9c47e-197b-4108-89e3-0c62c8e7f49d ). The address in your error message looks like the older version, which seems to support Richard’s line of thinking.
Thanks Lauri. You’re right Vittorio posted this about a month ago. I think the old endpoints are still active at the moment as well though no?
Ah, I should probably have been clearer about what I meant. I don’t know if they’re active or not, but seeing both /{guid}/wsfed and /{guid}/v2/wsfederation in the same context makes me think that there’s a part that’s configured for the new endpoints and another that’s configured for the old ones. I admit it’s not exactly compelling evidence, just an intuition.