How To: Configure Access Control Service on Windows Azure


First of all, credits to those who helped me in the process of understanding of Federated Identity on .Net. Follow them up on twitter, they are cool people Guiño




And thanks to the AltNet Hispano community for those awesome sessions!


Before to begin

This how-to is designed for .Net developers. Since this is a how-to, for more background information you should visit and read the resources listed below. Would be useful for you if you get along with concepts like Federated Identity and Claim-based architecture.

Requirements to begin this how-to

The gang

Now a brief presentation to the participants on this post.

Federated identity

FI is the capability of trusting and delegating the authentication of an application into another a third party application. Oh, wait, but how is that secure? Well, is more secure and reliable than you can imaging.

The thing is, today companies are growing and sometimes integrating with each other; services are getting along and more often we fall into the requirements of integrate services.

In .Net is quite easy implement an application that authenticate against several Identity provider. The name of the architecture to achieve this is called: Claim-based architecture.

And the answer in .Net to get this done is Windows Identity Foundation (WIF).


Claims are security information contained in security tokens issued by an identity provider. This information represents the identity of the client, i.e. Email, User Name, Name, Roles, etc.

The basic scenario for a claim base architecture is


Note that is the simplest scenario, ACS is not part of it, yet. The application knows where to get the authentication for this user, and there is just one identity provider, could be Gmail, Facebook, Active Directory (in this case the issuer may be an ADFS), etc.


Windows Identity Foundation

Microsoft create this layer of abstraction in order to facilitate the process of authentication through existents identity providers: Active Directory, Google, Facebook, Windows Live ID, etc. In .Net sense, WIF are just .Net assemblies that we need to reference in our .Net projects.

Access Control System

Access Control System (ACS) is part of Windows Azure Active Directory. Is the nexus between our apps and all the identity providers (Google, Windows Live ID, etc.).

-Should I’ve an active Windows Azure account to use it? –Yes.

-In order to achieve Federated identity on .Net; Should I always need ACS ? –No. We are using it here to let him care about all identity providers we trust, in a way we are centralizing this matter. Then all applications on a company, may trust in just one Federation Provider: and this is our dear ACS. You always can build an application with WIF to authenticate the application against any supported identity provider (IDP).

Resources about Federated Identity on .Net

For more concepts I recommend these readings:

Sample architecture

This is an overview of the information flow; how the resource request and authentication happens.


Creating an Asp.Net Web Application

This will be the application what decides to have the authentication process delegated into another party.

In Visual Studio, let’s create just an Empty Web Application. An empty application just focus in the ACS integration, but if you like, you can create and Asp.Net Web Application or an MVC one, is up to you.


After that, add to the project a new Web Form page called ‘Default.aspx’. And the project should looks like this



Configuring Access Control System namespace

Now, let’s see best part of this post, configuring the ACS, which a straightforward process. And for this you should have an active Windows Azure account.

In the Windows Azure panel select Service Bus, Access Control & Caching –> Access Control –> New


Create a unique namespace where our service is going to be running. Select the Country/Region that fits to you, then select the active Subscription of your Windows Azure account.


Wait for you namespace to be in ‘Active’ status. Then select it, and click on the button Access Control Service


Everything related to the Access Control Service for our namespace is here


Click on the left menu: Identity Providers. This is the part we configure the Identity Providers. By Default we have already configured Windows Live ID.


To add i.e. Google to the list, and also login with our Google accounts. Click on Add. Then click on Next.


In this screen let everything by default, and click on Save.



Done, now our Federation provider support Google and Windows Live ID for login. The next step is configure the Relying Party applications (this may be our web application).

Click on the left menu Relying party applications, and then click on Add.


Give it a Name, a friendly one. Then add the Realm and Return URL to http://localhost:52000/. Our sample web app is running under a development environment, that’s why the urls are set to localhost with the particular port. This may change in staging or production environments.

Then click Save.

Now on the left menu, click on Rule groups and also click in the Rule group created by default, in our case is called Default Rule Group for Hello all of you.


You will see that, so far none rules were created, and a message like this should shown. Click on Generate.image

Click on Generate.


And the result will be four claim rules we’ll receive from our identity providers.



Integrating the Federation Provider with Relaying Party

It’s time to integrate both ends, the ACS and our application.

Click in Application Integration and copy the url of the Federation Metadata file.


If Windows Identity Foundation SDK was installed correctly, by right-clicking the .Net project and selecting “Add STS reference…” we start a wizard to configure the integration. If you haven’t yet, this is the moment.


As we are running the Web Application in our development machine, then the url is http://localhost:52000/


A warning will be displayed, because we are not using our application with HTTPS, but is Ok for this sample application. Just click on Yes (Si).


Using the url of Federation Metadata file, we paste it here:






After the integration, the tool will modify the project.


The web.config has suffer some changes. But we still need to add this line into system.web:  <httpRuntime requestValidationMode="2.0"/>



To have an interesting interaction, let’s see if the claim are coming from the identity providers. To achieve this add as a reference the assembly Microsoft.IdentityModel.


In the Load page event, in the Default.aspx code behind, write this code to iterate through the claims received from the issuer

using System;
using System.Web.UI;
using Microsoft.IdentityModel.Claims;
using System.Linq;
namespace HelloAllOfYouQu
	public partial class Default : Page
		protected void Page_Load(object sender, EventArgs e)
			var claims = User.Identity as ClaimsIdentity;
				.ForEach(c => Response.Write("<br>Type: " + c.ClaimType + " ; Value: " + c.Value));


Source code

In case you need it, here you’ve the final application sample:

Running the application

It’s time to try our sample. In Visual Studio, press F5 to run the web application. Since we are not logged in, the ACS let us choose between Windos Live ID or Google.


I’ve select the Google account, so the ACS has redirected to the Google login page.


After the login, I’ve to grant permission to to access to my Google information.


And this is it! Now we are authenticated, and we can see in the default page the claims that we got from Google.



We created a web application delegating the authentication process to Windows Live ID or Google. We used Access Control Service from Azure, to manage the identity providers allowed by the application.


Hope this helps!


Installing Windows 8 Consumer Preview with VMWare Workstation 8

All 8! Lengua fuera

Ok, serious here. The thing is, VMWare Workstation has no explicit support for Windows 8. The last version of Windows 8, for the moment, is the Consumer Preview that you can download for free from the Microsoft site, here:

If you’re wanting to install Windows 8 into a Virtual Machine this is your choice, there are another choices.


Save the product key you will need it later.

Before we get started, make sure to 1) add you current Windows user into the group __wmware__ 2) Set your VMWare Workstation to compatibility with Windows XP Sp3, and finally 3) Run your VMWare Workstation as an Administrator.

All these steps are covered here

Once you have done everything we said, you enter to the wizard in order to create a new Virtual Machine to install your Windows 8, and you go for “Custom” installation, right this way:


Then continue till this screen, and make sure you choose “I will install the system operating later”, otherwise we are going to have problems in the future.


In the next steps, select the installation just like you’re going to install a Windows 7, but you’re not –just in case comment-.


Then continue, and let the force guide you till the last step, then press in the button “Customize Hardware”.


Then locate and select your Windows 8 CP iso file, and then continue.

That’s it. There aren’t more tricks in the next steps.

And the result is


Authorizable content with Razor

Easy way in MVC with Razor, to solve this problem:

“I’ve a piece of code in the view, but I want to render it, just if you’re part of a particular role.”

Lucky us, with razor and his mechanism to easily extends Html Helpers, we can allow that some part of the code required authorization. Let’s see an example of how to get there.

Using it


The html text will be render only if you’re part of the role Administrator. In this example we’re using just one role: Administrator, you can enumerate more than one role separated by comma, have a look in the source we are using params.

The code

This method, as every html helpers existent in the world, is part of a static class.


Looking for more? Sorry for disappoint you!


This kind of authorization requires that you’ll set properly the authorization on server side, this means, i.e. if you hide a link on the client-side, you also have to set the Authorize attribute on your controller action to avoid security leaks.

NHibernate Validator 1.3.1 GA

Hello friends, here is the new release of NHibernate Validator. There are 2 improvements in this release since NHibernate 1.3.0 GA, call it a service pack Guiño.

First of all, Log4net is not longer needed as a dependency. What this means: tecnically the NHibernate.Validator.dll doesn’t need the library log4net.dll. If you have Log4net in your project NHibernate Validator will detect it and will use it. How cool is that?. This was achieve it easily, using a NHibernate feature: NHibernate.IInternalLogger.

This later improvement has to be with the second feature: support for NuGet. Yes, now you can install NHibernate Validator into your project using NuGet with just one command into the console.

Here is the page for the nuget package for NHibernate Validator: Go here


Where to get NHibernate Validator 1.3.1 GA ?

Download binaries and source from Sourceforge


Download binaries with NuGet


jqGrid + Linq + Asp.Net MVC example

For those who want get working these tools/frameworks and achieve a grid like this:


Okey, if you like that, this is the stuff used to get it work:

Download the code example here.

The application was based on the well known example from MVC: Testing a custom Authorize filters MVC let you intercept the actions via a feature they call: Filters. Filters are just attributes that you decorate into actions and them allow to you make an stop before or after the action-methods are executed (also are filters to intercept code before/after the result is executed, errors are thrown, etc). There are a few kind of Filter attributes, in the picture bellow into the blue square you’ve what filters came supported out-of-the-box.

Today we are going to talk about the AuthorizeAttribute and how to extend and test it.

AuthorizeAttribute (from the Msdn):

Represents an attribute that is used to restrict access by callers to an action method.

This filter is the first to be called when the Controller Action Invoker try to run Action methods. You can set into the attribute which are the Users or Roles can execute an Action, if the User/Role doesn?t fulfill with what was established into the Action an Unauthorized Result is raised. Remember that exactly after the filter execution ended in a ActionResult, that result is executed.

Now, let?s go to the hypothetical scenario that you need a custom authorization schema, that you need more than User/Role, or you just need neither of both, because your model is based on a Security Level. So you don?t care about who is the guy? / or what role it has?, you just need the security level it has.

With this scenario you can write a custom Authorize attribute:

In this CustomAuthorize attribute, we are doing first the well known authorization (which is, executing the code as is in the class base). When that authorization part passed, we go through our custom authorization part: we get the user from the Database (or whatever other source) and we check the security level. If it?s allowed to execute the action-method we end without setting the result. If it?s not, we set a HttpUnauthorizedResult. In the browser you will be redirected to the login page if you?re not allowed to execute that code.

Now the problem is when you need to test the authorization. Actually you can do it with some mock and overriding some code.

Another thing you?ve to know is that the object in charge of execute the actions is the ControllerActionInvoker. Then to invoke and action into your tests and see the result when the filters are invoked, we need to customize some, and override the method in charge of execute the result (the ActionResult), which is InvokeActionResult. Where is how should looks our method override:

Assert is a class from a Unit Testing framework, in this case in the example is using the Unit Testing framework that came with Visual Studio because every user can run the tests without have ie: Resharper installed. This Assert is expecting that the Result from the filter/action execution is the same with the TResult (is a generic parameter declared into the class). So with this class, we can make an easy test to see if the result is authorized or unauthorized.

Our test for authorized access, should be looking like this

First we are creating a new Controller, we mock stuff for authentication, and then using our custom action invoker to try to invoke the action using InvokeAction method (passing the Context and the Action name to be executed).

We are using some extensions and helpers methods, i.e.: SetFakeAuthenticatedContext is included into the example and there you?ll see which elements you need to mock when use Authorize filter-attributes.

To understand what happened in this first test method:

  1. Controller creation
  2. Mock authentication stuff using our user named:?pepe?.
  3. Using the custom invoker we launch the action ?PermisiveAction?.
  4. The CustomAuthorized filter is raised, it pass the authorization.
  5. The action is executed and return a ViewResult (doing return View() into the code).
  6. The Assertion is made, everything ok and the test pass.

And now let?s see this another test

The difference with the previous one is in the step 4, 5 and 6. The action is not executed because the filter raise an HttpUnauthorizedResult. Download the example to understand better how to manage the testing of Authorization on Actions.

Download code example