In my last post, I showed how to use Azure Active Directory sync to extend your local Active Directory into Azure. In this post, I’m going to show you how to use Azure Active Directory and Windows Identity Foundation to authenticate in MVC by leveraging the Brosteins.com Azure Active Directory. I’ll then configure my MVC site to use Organizational Accounts.
With ASP.NET Identity and the easy-to-use templates in Visual Studio 2013, using Azure Active Directory (or other identify sources such as Facebook, Twitter, Google, or Microsoft).
Create a New Project
To start off, go to File…New Project in Visual Studio 2013 and select New ASP.NET Web Application. I named my new web app BrosteinsAuthenticate.
Change the Authentication
After pressing “OK”, you can choose from a variety of web application templates (Empty, Web Forms, MVC, Web API, SPA, Azure Mobile Service). I’m going to be creating a new MVC site, so I selected MVC.
Next, I want to change the site to authenticate against the Brosteins.com Azure Active Directory. Press the “Change Authentication” button to configure the authentication for Azure Active Directory.
On the Change Authentication screen, you have a variety of choices (No Authentication, Individual User Accounts, Organizational Accounts, or Windows Authentication). When you select one of the options and provide the necessary information requested, your web application will be automatically configured using ASP.NET Identity, Windows Identity Foundation (WIF), or Windows Authentication (typically used for intranet sites).
Choosing the Right Authentication
With ASP.NET Identity, you have several choices for authentication that can be automatically configured for your application. I’ve summarized the different choices below. If you would like a more in-depth explanation, visit Microsoft’s overview of Authentication Methods for projects within Visual Studio 2013.
If your site does not require user authentication, then this is your choice. A plain web application will be created without support for logging in/out.
Individual User Accounts
If you’ve previously used the ASP.NET Membership system, this option may seem familiar. When selected your project will be configured with ASP.NET Identity. ASP.NET Identity configures your project with data access functionality, databases, and corresponding screens to support user registration, logging in/out, or using an existing identity provider, such as Facebook, Twitter, Google, or Microsoft.
ASP.NET Identity was designed to replace the legacy ASP.NET Membership system, originally built in 2005 for ASP.NET 2.0. With new changes to ASP.NET, more modern data store technologies (such as NoSQL), and OWIN, limitations with the older ASP.NET membership system made it difficult to transition to these newer technologies.
Choose this option if your application is going to be public-facing and would like to maintain it’s own collection of usernames and passwords, or if you would like to rely on a third-party identity provider that is not Windows Server Active Directory or Azure Active Directory.
To read more about the differences between the legacy ASP.NET Membership system and ASP.NET Identity, check out Microsoft’s Introduction to ASP.NET Identity.
Selecting this option allows you to connect your application to an existing Azure Active Directory or on-premise/local/Windows Server Active Directory. This option is based upon Windows Identity Foundation (WIF), which implements a claims-based identity within your application.
Choose this option if your site is going to be public-facing, but has a need to be integrated with existing on-premise or Azure Active Directory.
For more information on WIF, check out Microsoft’s Windows Identity Foundation 4.5 Overview.
Selecting this option will configure your application to rely upon IIS-integrated Windows Authentication for authentication. This option requires Windows Server IIS as an application hosting platform and requires a Windows Server Active Directory domain
Choose this option if your site will be hosted internally and you run Windows Server Active Directory.
For more information on this option, check out Microsoft’s advice on Windows Authentication in web applications.
Configuring my Application with Azure Active Directory and Windows Identity Foundation (WIF)
I selected the “Organizational Accounts” option because I wanted to leverage my existing Brosteins.com Azure Active Directory I set up in my previous post.
I selected Cloud – Single Organization, indicated my domain was brosteins.com, and selected “Single Sign On” as my access level.
After pressing “OK”, I was prompted to login to my Azure Active Directory account. Sign in with you Azure Active Directory credentials and Visual Studio will do the rest.
Finish Creating the Project
After signing into Azure Active Directory, you’re brought back to the new project configuration page. Press “OK” to continue.
After pressing “OK”, Visual Studio takes all of the information you provided and auto-configures your web application. This process can take a few minutes, so if you have a slower computer, go have a cappuccino (for an excellent bean, try Red Bird Coffee’s Northern Italian Espresso).
Launch the Website and Sign In
After your project has been created, all you need to do is run it. Press F5 to run, or hit the “Run with…” button.
When your application loads, it will determine if you have already been logged in. If you haven’t previously logged in, you’ll be re-directed to an Azure Active Directory sign in page. Enter your Azure Active Directory credentials to continue.
Once you’ve provided your credentials, you’ll be redirected back to your application’s home page, where it displays that you have been authenticated. Note my login name (firstname.lastname@example.org) is displayed at the top.
Thanks for reading my last 2 posts on Azure Active Directory, Azure Active Directory Sync, and authenticating a new web application project with Windows Identity Foundation (WIF) and an existing Azure Active Directory. I hope you’ve learned something new, or at the least sparked an interest in reading some more.
If you have any questions, feel fee to post a comment or email me. I’d love to hear from you.