Access Control Service : create and use your own STS in Azure – Part 1

In this article series, I am going to address how to create you own custom Security Token Service (STS) to authenticate your users using claims, and using it through ACS to offer more  Identity Providers to your Azure app.

This article series is composed of:

  1. Build you STS as a Web App (and not a Website) ← Your are here!
  2. Create and configure your certificates in your STS
  3. Understand the FederationMetadata.xml file
  4. Use your STS in the cloud through ACS
  5. Put your web app + your STS in Windows Azure

1. Build your own STS as a Web App (and not a Website)

Today, WIF templates are offering your to build your Security Token Service as a Website.

What we would like to do is to use this “Website” as part of our Azure project, but the issue is Azure SDK only support importing “Wep Application” type of projects…

No problem, let’s just create a Web Application from scratch you will see how simple it is to create a STS from that.

1. Web App creation

First, let’s create a Windows Azure project with one ASP.NET web role.

Once done, let’s have a look to the web.config of our web role; in our case, I just simplified it to only keep MembershipProvider and RoleProvider, both pointing to a SQL Azure Backend.

So, what does this web.config has that make it so special for a STS web app?

Absolutely nothing!!

Lets have a quick look at what this really simple web role contains:

  • MemberShipProvider and RoleProvider  providers to configure your identity used in your STS,
  • a “Forms” based authentication, redirecting to “Login.aspx” to validate user identity withtin the STS

Now, let’s add a few thing that will make our simple ASP.NET web role a real STS.

2. Adding a couple of pages to the web role

Adding the “Login.aspx” webpage:

This webpage is the one that will be used to authenticate users coming to the STS; most of the work is done just by having providers set as on the web.config. This page just needs to contain a Login ASP.NET control that will automatically use providers. As first call done to the STS will try to reach the PassiveSTS.aspx page, user will be redirected there once successfully authenticated.

You can find here a sample of a template of the Login.aspx page (easy to obtain from VS IDE).

Adding the ”PassiveSTS.aspx” webpage:

This page is the one where the magic is done.

On the HTML side, it is an empty page; on the code-behind side, there will be a little bit more code, that will validate consistency  of request parameters coming from the Relying Party (these parameters can be found as URL encoded within the ReturnUrl query parameter on the Login.aspx webpage).

Once parameters received from RP are validated, a couple of additional classes will be called to create, sign and encryt the SAML token that will be sent back to ACS (find here the code-behind of my sample PassiveSTS.aspx.cs webpage for reference).

these custom classes are getting called on one line in this webpage:

SecurityTokenService sts = new MembershipSTS(MembershipSTSConfiguration.Current);

Let’s now have a look on how these classes are built.

3. Add specific code for your STS to generate your auth tokens

Code you will find here is just coming from sample classes generated from the WIF STS Website you can generate.

A small addition here: you will need here to fill up details about certificates you web role will use (we will see how certificates are created in my 2nd article on this series).

First file is MembershipSTSConfiguration.cs: this class is used to set the Signing certificate used for your token (adding public key in the FederationMetadata.xml file is to be found in the 3rd part of this series article).

Second file is MembershipSTS.cs: this one will do 3 things:

  • Verify if the site requesting a token has the right to do so (through the GetScope overridden method),
  • Set the certificate that will be used to encrypt the token (though same method),
  • Create and add claims to the claim response according to the used identity against the STS app (through the GetOutputClaimsIdentity overridden method)

Now that your STS is ready code-wise, let’s add certificates to it to sign and encrypt our token… In my next article!

10 Responses

  1. Just what I am looking for. I am really interested in part 4. Use your STS in the cloud through ACS.

    Is there a way to use ACS to access SQL Azure to create claims?

  2. Hello Thien,
    My example is just showing how to use Membership provider for authentication, but you can for sure use RoleProvider or ProfileProvider to store additional info for your user.
    Then to map these values as claims, have a look to the MembershipSTS file in my article, which contains an GetOutputClaimsIdentity method; this is where you add your claims before they got sent out to the App or ACS. You will also need, in the case of ACS to make sure you created the according mapping rules in your ACS portal.

    Ben

  3. Hi Benjamin,

    since last one month, i am working on migrating an application to cloud. one of key component of an application is custom STS.

    we have built custom STS for authentication. right now i am trying to deploy it on the cloud and to consume it in client application.

    but i am little bit confused about deployment of custom STS. Will STS be deployed as hosted service or need to be configured it with ACS ? or we have to do both the things.

    can you please guide me for this ? please share your contact details.

    Thanks
    Jonyy

  4. You can link your sites from an identity standpoint directly to your STS hosted as a cloud service.

    ACS would help in such a scenario to federate multiple identity provers within your web app: your app trusts your ASC namespace, then ACS plays then the role of a “proxy” to receive and transform claims received from Identity Providers, nefore sending it back to your app. It is then up to you to map the Relying Party + user identity from this RP to something meaningful in your app.

  5. Hi Benjamin,

    Thanks for quick response.

    i didnt get term identity standpoint ??

    can i directly consume Custom STS, hosted as cloud service (like mysts.cloudapp.net/Service.svc), in my silverlight based client application ?

    is there any different types of settings need to be done for consuming STS in client app ?

    Thanks
    Jonyy

  6. What you are trying to achieve here I think is an Active Federation mechanism, meaning the user logs actually IN the Silverlight app to ACS.
    The Passive Federation would require the user to go to ACS or your STS directly as a page redirect, log on this page, then have the info taken from the STS submitted to your app to authenticate the user (overall Passive Federation schema available here, with a ACS/ADFS flavour).

    Have a look over here for a complete example of this, hop this helps.

  7. Hi,

    I need help in creating ACS Customer identity provider (STS) with WIF 4.5. This sample isn’t working with WIF 4.5.

    Regards,
    Yasir

  8. hi,

    Firstly let me thank you – this was very useful!
    I did have a few stumbling blocks though due to omissions or maybe because of the translation?
    Either way, I’ll add a comment on each page, listing what I feel may help people.

    On this page, all I’d ask is for an almost working solution so people don’t have to download files individually. Also, Certificateutil.cs is missing (easy to find on Google but still)

  9. Hello James,

    Thanks for the comment, I will try to add content accordingly to you statements whenever I have time to do so :)

Leave a Reply