Access Control Service : create and use your own STS in Azure – Part 2

In this article series, I am going to address how to create you own custom Security Token Service (STS) to authenticate your users using claims, and using it through ACS to offer more  Identity Providers to your Azure app.

This article series is composed of:

  1. Build you STS as a Web App (and not a Website)
  2. Create and configure your certificates in your STS  ← You are here!
  3. Understand the FederationMetadata.xml file
  4. Use your STS in the cloud through ACS
  5. Put your web app + your STS in Windows Azure

2. Create and configure your certificates in your STS

Let’s see how we can create and use our certificates in our own Windows Azure STS; this includes:

  • generating test certificates for your STS to talkf with users in HTTPS,
  • generating encryption certificate la génération d’un certificat pour encrypter vos tokens envoyés depuis votre STS vers ACS.

1. How to create your certificates

In our scenario, we are going to use self-signed certificates; of course, if you obtained some from your favorite certificate issuer for your company, this also do the job, and you can skip this part :)

To create your own certificates, we are going to use the Visual Studio 2010 command prompt, which will let us use the MakeCert.exe command.

Here a re the 2 commands to use to generate your certificate that will be used by your STS for HTTPS (we will call it httpsCert):

makecert -r -pe -n "" -sky 1 "httpsCer.cer" -sv "httpsCer.pvk" -ss My
pvk2pfx -pvk "httpsCer.pvk" -spc "httpsCer.cer" -pfx "httpsCer.pfx" -pi test

What are these commands doing?

  • 1st is creating a private key (.pvk), validate against a password (whatever you want); it also creates one certificate (.cer) containing the public key (this will ask you the password you created just before to open the private key and generate the public key).
  • 2nd takes the private and public keys and build a certificate containing both private and public key (.pfx) ; private key password will be asked once more.

Certificates will be generated in the path you’re in, so make sure you are in the right place to do so :)

We will use again the same command set to generate the certificate we will be using to encrypt the STS token (enforcing better encryption using ”len” parameter to get a 2048 bit key) :

makecert -r -pe -len 2048 -n “CN=CryptingCert” -sky 1 “CryptingCert.cer” -sv “CryptingCert.pvk” -ss My

Now we have our PFX certificates ready to be used; let’s now use them in our Azure project.

2. Use your certificates in your Azure STS

To attach your certificates to your Azure solution, we will have to place them into the ”Personal” Certificate Store of your Machine (only certificates in “Machine\ Personal” certificate Store will be accessible from the Azure SDK in Visual Studio).

Know let’s open a MMC console and add a “Certificate Store” pointing to the Computer account; add there certificates here :


During import process, don’t forget to check the “Mark this key as exportable” checkbox, to be able to export your certificates out of your Store with toe Private key!!

Once done, let’s add them now in your Windows Azure project.

Create entries matching needs in the Azure Role properties editor, then choose which certificate to match using button next to the “Thumbprint” field:


As you can see above, SigninCert will be used for HTTPS and token signing, and EncryptionCert to encrypt transmitted tokens.

Note: Windows Azure only use the “ThumbPrint” value of the cert to set certificates from the Hosted Service certificates into the instance once loaded.

Let’s at last add the SigninCert certificate to be used for the HTTPS part:

Given code from previous article need to changed here accordingly:

  • SigninCert certificate (file httpsCert.cer) to be used in the MembershipSTSConfiguration.cs class (for token signing), and for HTTPS Endpoint definition,
  • EncryptionCert certificate (file CryptingCert.cer) the the GetScope method of the MembershipSTS.cs class to encrypt tokens.

3. Add your certificates in Windows Azure

Once certificates mpaaing in your STS app is done, we now need to upload them into the Hosted Service corresponding to your deployment (which means you’ll need to create one prior to deployment).

Select the “Certificates”  folder under your deployment and click the “Add Certificate” button in the ribbon :

Add your certificates there, so that your instance will be fed with them upon booting time:

Now your certificates are Azure, ready to be used by your STS Web role once uploaded.

Nest, we will have a look at the FederationMetadata.xml file and how it needs to be shaped to make your STS consumed properly from ACS, so that it can use your STS just as any other Identity Providers :)

5 Responses

  1. I hate certificates… here are the pitfalls, which tripped me up here:

    - Watch out for fancy quotes when copying the certificate commands – they’ll make the generation fail.
    - Make sure you change “test” to your actual password ;)
    - Generate the .pfx file for the encrypt certificate as well (use the same second command as for the other one)
    - Import the .pfx file in MMC, not any of the others (that way you’ll get the talked about options)

    Finally, I needed to use my encryption cert in BOTH MembershipSTSConfiguration.cs and MembershipSTS.cs to avoid getting the “SAML token is invalid.” message after the token got sent back to ACS. Not sure why though.

  2. Hi James:

    - copy/pasting lines is ok now :)
    - you are not forced to use the same certificate in both MembershipSTSConfiguration.cs and MembershipSTS.cs, but if so you need to make all certificates to be uploaded in the Cloud Service you are using, along with the one used to encrypt to be uploaded into your ACS namespace

Leave a Reply