0

Hey guys not sure if this is the right forum for this but I'm at my wits end trying to figure this out.

So a quick background of what I'm trying to do. I'm working on my senior project for college and it's actually with Microsoft, but my webforms application is done I'm trying to set up ACS with some role based identification. I'm using VS 2012 and I've gotten ACS to work properly using windows live Id and Google log in. My problem comes when I'm trying to restrict the entire app only to users who are admins. I've seen many tutorials online but they all seem to be with VS 2010 which is vastly different from 2012. My problem lies particularly with the fact that I can't view the nameidentifier that Windows live id gives me to make a role out of it in azure. So for instance if someone@live.com logs in I can get back nameidentifier= "x" and then make a role out of that nameidentifier. I can't seem to get a way to view the nameidentifier?

Does anyone have any knowledge of how to get this to work in vs 12 or have any tutorials? Or if anyone knows of a way to do what I'm explaining in a different manner I would greatly appreciate it!

Any help is greatly appreciated!

Also I've seen a lot of work from @AntonStaykov but not quite what I'm looking for, if you're on here as well to assist I would really appreciate it.

Allan Huston
  • 17
  • 1
  • 7

3 Answers3

2

Here is how you could access the nameidentifier claim in code. This assumes you have ACS setup with passthrough claims which it should provide by default.

        ClaimsPrincipal p = System.Threading.Thread.CurrentPrincipal as ClaimsPrincipal;

        Claim cNameIdentifier = p.Claims.First(c => c.Type == ClaimTypes.NameIdentifier);
        if (cNameIdentifier != null)
        {
            string NameIdentifierValue = cNameIdentifier.Value;

            // your code here to implement your logic.

        }

I think what you're after though is a way to augment (or transform) the incoming claims in your web application so you can do role based security. For example, when the token hits your site, you're wanting to

  1. retrieve the incoming NameIdentifier claim,
  2. lookup in a store (dictionary, persisted store, provider, etc.) to see if the user is an Admin based on your own logic,
  3. add a role claim to the principal with "Admin" as the value.

Is this your goal? If so, the place to do this is in a ClaimsAuthenticationManager.

http://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthenticationmanager.aspx

-Rick

Rick Rainey
  • 11,096
  • 4
  • 30
  • 48
1

The main issue you have, is using Live ID (or, as they call it now - Microsoft Account). There is no way to get user's e-mail out from Live ID, if you just use ACS. I personally love ACS and use it, I just don't care about the Microsoft Account, or handle it in other ways.

If you want to restrict access to the whole application just for Admins, you have to accomplish two things:

  1. Setup Authorization rule in your system.web section that give access to only Administrator role
  2. Setup Claim Rule in the ACS to generate Administrator role claim based on some input criteria.

Step one is fairly easy, just add the following inside your system.web section in your web.config file:

<authorization>
  <allow roles="Administrator" />
  <deny users="?" />
</authorization>

Just make sure there is no other authorization section in your web.config!

Second step, the easy part. Go your ACS management portal, then go the Rule Group which is assigned to your relying party application. And add a new Rule with the following criteria:

  1. Chose the Identity Provider for the rule (let's assume Google)
  2. Select the input Claim Type to be: http://schemas.xmlsoap.org/claims/EmailAddress
  3. Enter Claim value: your_desired_admin@gmail.com (the e-mail address of Administrator)
  4. Select the output claim type to be: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
  5. Enter the value for the output claim: Administrator
    1. Set proper description for the rule, something like your_desired_admin@gmail.com is Administrator.
  6. Save the rule.

Done. Repeat this step for all the persons you want to give Administrator permissions. Of course you can only do this for Identity Providers that will give you E-mail Address. Sorry for Microsoft Account users.

There is no trivial way to give administrator permissions for a Microsoft Account holders when they come via Azure ACS. The only thing you have is a Name Identifier Claim, or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier (I will call it NIC for simplicity.

NIC is Unique on the following combination: User Identity (me@live.com) + ACS NameSpace + Relying Party Application. This means that if me@live.com log-ins to your app via mygreat.accesscontrol.windows.net you will get a unique NIC for that user. If the very same user log-ins to my site via someother.accesscontrol.windows.net, I will get completely new NIC, that will be globally unique again, but will not be the same as the one your application got.

And, as you can imagine, you cannot guess the NIC for any user that comes from Live ID. Enabling this scenario for Live ID requires a bit more complicated logic. Which I don't have the time and space to describe here, but I might find a time for a nice blog post.

You can get the NameIdentifier claim on your application logic as already pointed out by Rick, but do you really want to give all and any users "Administrator" role? Plus, I would go away from leaving my application to mess with the Rules in ACS for every single login that comes. There are better ways to achieve what you want (as I said, time for blogging).

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • this solution is perfect except for the fact that my project requires we use Microsoft Live ID. Being that only admins would ever be able to access this application I want it to be 100% access or no access at all type of security. Not sure what steps I should take next – Allan Huston Mar 13 '13 at 22:21
  • okay so just for the sake of getting some security up I tried using google. I'm not quite sure what's not working but it is allowing any user to get in that uses gmail. even though I changed the web config. Any ideas? – Allan Huston Mar 14 '13 at 02:33
  • I am little confused from the `100% access or no access`. Do you mean - all of Live ID members will have admin access, or no one shall be admin? As I said, what you want to achieve is doable, but not subject of simple SO answer. – astaykov Mar 18 '13 at 23:35
  • My end goal is that only people I designate as admins through ACS portal should be able to get in. After taking a look around this seems a lot more difficult than it should be since you cannot use anything but a nameidentifier for windows live(I got Google to work). Any idea if using OAuth 2.0 for windows live could achieve my goal? – Allan Huston Mar 20 '13 at 01:25
  • Well, I think your intent `through the ACS portal` is conceptually bit wrong. I would take an action avoid directly (and manually) using Portal to `adjust` any type of production service. You can't integrate OAuth Live SDK with Azure ACS. But, you what you could do, is create an `one-time-activation-token` in the form of GUID, which lives inside your application. Accept all users presenting valid security token, but stop them and require that `one-time-activation-token`. If valid token is presented - create local profile based on `nameidentifier` claim and let this user in as Administrator. – astaykov Mar 20 '13 at 12:27
  • Okay all this is very new to me so forgive me if I sound stupid for asking but is there anyway I can see this set up in action? Maybe a tutorial of some sort. Also here's a quick question I got with ACS still, I'm having trouble getting ACS to show up when I use the Identities and Access toolkit. When I got to my webconfig I commented out a portion under the tag I can then add ACS but lose access to my api for my program. Any idea why this is or how to fix it? – Allan Huston Mar 21 '13 at 02:31
  • yes. but we are turning this into a chat. There is great event coming soon - [The Global Windows Azyure Bootcamp](https://globalwindowsazure.azurewebsites.net/). Find a place near you and get yourself in. You will learn a lot of things and will have a chance to ask your questions in a free form and have discussions/code samples/etc. – astaykov Mar 21 '13 at 13:24
0

The tooling is indeed different in VS 2012 if you're targeting .NET Framework 4.5. Much of it is driven by the fact that Windows Identity Foundation is built into the framework in 4.5. So, you may eliminate some of your friction if you just target .NET Framework 4.0. With this, you will have a similar experience to the tutorials you're referring too (assuming these tutorials target .NET 4.0 or earlier).

I'm not sure why you're not able to view the nameidentifier. Maybe you can provide a little more context around that question? For example, are you in the ACS portal, in code, etc?

-Rick

Rick Rainey
  • 11,096
  • 4
  • 30
  • 48
  • so basically what I want to do is if someone logs in with windows live id... someone@live.com they produce a nameidentifier ="x" i want to be able to see what that name identifier is in a code so that I make a role with that output as a requirement in acs and name that role admin. In theory I would need to do this for every user. Unless there is some way around this that is much easier. In short I want a select number of users that I will pre identify to be able to access my web form app because it is for admins only – Allan Huston Mar 13 '13 at 02:36