In this article series, I am going to address how to create you own custom Security Token Service (STS) to authenticate your users using claims, and using it through ACS to offer more Identity Providers to your Azure app.
This article series is composed of:
- Build you STS as a Web App (and not a Website)
- Create and configure your certificates in your STS ← You are here!
- Understand the FederationMetadata.xml file
- Use your STS in the cloud through ACS
- Put your web app + your STS in Windows Azure
2. Create and configure your certificates in your STS
Let’s see how we can create and use our certificates in our own Windows Azure STS; this includes:
- generating test certificates for your STS to talkf with users in HTTPS,
- generating encryption certificate la génération d’un certificat pour encrypter vos tokens envoyés depuis votre STS vers ACS.
1. How to create your certificates
In our scenario, we are going to use self-signed certificates; of course, if you obtained some from your favorite certificate issuer for your company, this also do the job, and you can skip this part
To create your own certificates, we are going to use the Visual Studio 2010 command prompt, which will let us use the MakeCert.exe command.
Here a re the 2 commands to use to generate your certificate that will be used by your STS for HTTPS (we will call it httpsCert):
makecert -r -pe -n "CN=mystsapp.cloudapp.net" -sky 1 "httpsCer.cer" -sv "httpsCer.pvk" -ss My
pvk2pfx -pvk "httpsCer.pvk" -spc "httpsCer.cer" -pfx "httpsCer.pfx" -pi test
What are these commands doing?
- 1st is creating a private key (.pvk), validate against a password (whatever you want); it also creates one certificate (.cer) containing the public key (this will ask you the password you created just before to open the private key and generate the public key).
- 2nd takes the private and public keys and build a certificate containing both private and public key (.pfx) ; private key password will be asked once more.
Certificates will be generated in the path you’re in, so make sure you are in the right place to do so
We will use again the same command set to generate the certificate we will be using to encrypt the STS token (enforcing better encryption using ”len” parameter to get a 2048 bit key) :
makecert -r -pe -len 2048 -n “CN=CryptingCert” -sky 1 “CryptingCert.cer” -sv “CryptingCert.pvk” -ss My
Now we have our PFX certificates ready to be used; let’s now use them in our Azure project.
2. Use your certificates in your Azure STS
To attach your certificates to your Azure solution, we will have to place them into the ”Personal” Certificate Store of your Machine (only certificates in “Machine\ Personal” certificate Store will be accessible from the Azure SDK in Visual Studio).
Know let’s open a MMC console and add a “Certificate Store” pointing to the Computer account; add there certificates here :
During import process, don’t forget to check the “Mark this key as exportable” checkbox, to be able to export your certificates out of your Store with toe Private key!!
Once done, let’s add them now in your Windows Azure project.
Create entries matching needs in the Azure Role properties editor, then choose which certificate to match using button next to the “Thumbprint” field:
As you can see above, SigninCert will be used for HTTPS and token signing, and EncryptionCert to encrypt transmitted tokens.
Note: Windows Azure only use the “ThumbPrint” value of the cert to set certificates from the Hosted Service certificates into the instance once loaded.
Let’s at last add the SigninCert certificate to be used for the HTTPS part:
Given code from previous article need to changed here accordingly:
- SigninCert certificate (file httpsCert.cer) to be used in the MembershipSTSConfiguration.cs class (for token signing), and for HTTPS Endpoint definition,
- EncryptionCert certificate (file CryptingCert.cer) the the GetScope method of the MembershipSTS.cs class to encrypt tokens.
3. Add your certificates in Windows Azure
Once certificates mpaaing in your STS app is done, we now need to upload them into the Hosted Service corresponding to your deployment (which means you’ll need to create one prior to deployment).
Select the “Certificates” folder under your deployment and click the “Add Certificate” button in the ribbon :
Add your certificates there, so that your instance will be fed with them upon booting time:
Now your certificates are Azure, ready to be used by your STS Web role once uploaded.
Nest, we will have a look at the FederationMetadata.xml file and how it needs to be shaped to make your STS consumed properly from ACS, so that it can use your STS just as any other Identity Providers