Monday, January 24, 2011

MIgration to Azure - Part 3 HelloWorld

How to - ADFS with HelloWorld

  1. Create one cloud project and add one web role. The web role will contain very
    simple 'HelloWorld'.
  2. Upload one .pfx certificate to http://windows.Azure.com
  3. Add certificate and STS reference to project -
    http://claimsid.codeplex.com/

Adding certificate and STS reference will make some changes in web.config and in
service configuration file -

  • Service Configuration file




<Certificates> <Certificate name="Certificate2"
thumbprint="xxxxxxxxxxxxxxxxxx" thumbprintAlgorithm="sha1"
/> </Certificates>


  • Web.config File

 

 <system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="ClaimsPrincipalHttpModule" type="Microsoft.IdentityModel.Web.ClaimsPrincipalHttpModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
</modules>
</system.webServer>

 

And     

 

<microsoft.identityModel>
<service>
<!--Commented out by FedUtil-->
<serviceCertificate><certificateReference x509FindType="FindByThumbprint" findValue="A97379892B76D70BC4C453C5F4AAC00428DB7E83" storeLocation="LocalMachine" storeName="My" /></serviceCertificate>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'urn:federation:MSFT'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/CommonName" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/EmailAddress" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/Group" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/UPN" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" optional="true" />-->
</claimTypeRequired>
</applicationService>
<!--Commented out by FedUtil-->

<audienceUris>
<add value="https://ptswebdev.cloudapp.net/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://corp.sts.microsoft.com/adfs/ls/" realm="https://ptswebdev.cloudapp.net" requireHttps="true" />
<cookieHandler requireSsl="true" />
</federatedAuthentication>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="41DFA100BE890909B3ED5E93761F8174680EACD6" name="urn:federation:MSFT" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>

 

  1. Now Open Global.asax -

Add following

void Application_Start(object sender, EventArgs e)

{

// Code that runs on application startup
FederatedAuthentication.ServiceConfigurationCreated += new EventHandler(FederatedAuthentication_ServiceConfigurationCreated);
FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider
+= new EventHandler(WSFederationAuthenticationModule_RedirectingToIdentityProvider);

 }

 void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender,
RedirectingToIdentityProviderEventArgs e)

 {

 Uri reqUrl = Request.Url; StringBuilder wreply = new StringBuilder();
wreply.Append(reqUrl.Scheme); // e.g. "http" wreply.Append("://");
wreply.Append(Request.Headers["Host"] ?? reqUrl.Authority);
wreply.Append(Request.ApplicationPath); if
(!Request.ApplicationPath.EndsWith("/")) { wreply.Append("/"); }
e.SignInRequestMessage.Reply = wreply.ToString();

 }

void FederatedAuthentication_ServiceConfigurationCreated(object sender,
Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs
e)

{

List sessionTransforms = new List( new
CookieTransform[] { new DeflateCookieTransform(), new
RsaEncryptionCookieTransform( e.ServiceConfiguration.ServiceCertificate), new
RsaSignatureCookieTransform( e.ServiceConfiguration.ServiceCertificate) });
SessionSecurityTokenHandler sessionHandler = new
SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace( sessionHandler);

 }

Open Default.aspx -

On Page load or any event Add following -

protected void Page_Load(object sender, EventArgs e)

 {

try

{

 IClaimsIdentity ici = Thread.CurrentPrincipal.Identity as IClaimsIdentity; foreach
(Claim c in ici.Claims) Response.Write(c.ClaimType + " - " + c.Value + "

");

 }

 catch (Exception ex)

{ Response.Write(ex.ToString()); }

 }

 

You are done :)) Bingoo

I didn't added much for adding STS and ceritifcate as it is widely
avaiable on net.

Migration to Azure - Part2 -real Work, some thoughts

Here comes the the problems you are goign to face in Azure [if you are
conventoanl programmer]

  1.  Authentication especially if it is active directory
    based. As the netowrk is internet
  2.  DB connetion which is simple string pointing to Sql Azure
    DB, the User name will be, 'username @DBName'. For eaxample
    connection string in my case was  "server=tcp:xyz.database.windows.net;Database=PTS;User
    ID=userName@xyz;Password=<anypwd>;Trusted_Connection=False;Encrypt=True;
    ".
    The question here is why do we need SQL azure when Windows azure is proving
    tables - SQL Azure is providing RDBMS whereas Windows azure is not.
  3.  Session and Application variable :) Application variable
    as avaiable as it is, as this is application based. where is sessions are not
    availabe OOB, they need some extra effort. Reason being if number of sessions
    are increased due ot scalibility you will never know from where it is being
    excuted. so the answer is to use SQL based session.

DB Connection is very basic and easilyt avaiable. for session you need to find
some alternate or user SQl based session. Below I am posting very basic
Helloword with ADFS authentication.

Below are the minimum items needed -

  1. One certificate which is uploaded on Windows Azure as well. .pfx file
  2. Location for ADFS2.0 server as this will provide your claims.
  3. Adding relying party on ADFS2.0 server, which means telling ADFS server "the
    request will come form this site, and provide claims for it"
  4. Within Application following changes are needed -
  5. Changes in Application_OnStart [Adding two events associated to Authentication]
  6. Adding Certificate [the same must be uploaded on azure]
  7. Adding ADFS server location reference, running FedUtil tool.

Next Post - Post3 Minimum Hello world with ADFS integration>

 

MIgration to Azure - Part 1

Hi All,
I got chance to work on Azure very recently, and the work of course was related to migration. Keeping it short I will try to explain the problems and challenges I faced in this process –


Getting Startup, reading material and understanding –

• VS 2010 gives option for creating cloud app. Two things to mention for new bee –

• Worker role and Web Role [Web role is nothing but your asp.net application]

• The Azure project has webrole.cs which is responsible for executing the application.

• Start keeping break points from application_Start [that will give clear understanding of flow]

After first Hello world and understanding the flow, now comes how migration should go , most common scenario is to have SQl Azure as well [a separate license]

Open http://windows.azure.com, click SQL Azure create your DB with help of script. There are no wizards till now.

• Once DB created, it is better to create simple application to access database programmatically. Few things here –

• To Access DB programmatically in your SQL Azure DB, click the Tab “Firewall Settings” and add Ip of your computer, so Azure will bypass that.

Also install Microsoft Firewall Client [I do not know exactly why this is needed but this happened in my case]

I am not providing any code snippet for the same as material is very easily and widely available on net.

Now it is time for real work  Post-2