If you want to secure your Azure ASP.NET app using Azure Active Directory, Visual Studio 2013 does a great job if you create a new one. Here you can find a good article about how to do it.

However, is not so easy and we don’t have too much help if we want to add Azure AD to an existing asp.net app. This post tries to help with that, basically, create a new project configured with Azure AD, and then follow the following steps using the new one as reference:

First you’ll need to add these packages to your project:


Copy the Utils folder that contains the class DatabaseIssuerNameRegistry and the Models classes (see image below):

image

Note: You’ll need an SQL Database for the Authentication stuff. It seems that in recent versions, the identity providers are storing some info about tokens there. In this article from great Vittorio Bertocci there are more information: http://www.cloudidentity.com/blog/2013/10/24/vs2013-rtm-organizational-accounts-and-publishing-to-windows-azure-web-sites/

Copy IdentityConfig.cs to App_Start

clip_image001

Copy AccountController

clip_image002

In the global.asax file:

Copy the method: WSFederationAuthenticationModule_RedirectingToIdentityProvider

In the Application_Start() add:

clip_image003

Copy the Account Views

clip_image004

Copy the Home/UserProfile view

clip_image005

Update the Home controller with the UserProfile action. You will see that you need to add some constants that are defined in the HomeController class


Copy LoginPartial view

clip_image001[4]

Add this code to _Layout.cshtml file

clip_image002[4]

OK. Now you need to configure some bits in the Azure portal. Basically, what you need to do is adding permissions for your app in the Azure AD.

In Azure Management Portal, go to the Active Directory and Applications, and Add a new Application:

clip_image001[6]

image

image

The sign on URL is where your app will go when you navigate to your app without being logged in. Usually will be you same home page (has to be SSL)

The App ID URI has to be your Azure Active Directory URL, followed for some app name or ID. You can see your Azure AD URL managing your Azure AD in the Domains section. If you are in the Azure tenant for Office 365, the AD URL will be the same Office 365 main URL: https://tenant_name.sharepoint.com

Then, in the Configure page, you have to add a Key:

clip_image001[8]

Save the config and you’ll see the Key value:

image

You also need to copy the Client ID

image

If you want to allow Read/Write Azure AD data, you need to configure permissions. If you have copy the HomeController as I told you before, the UserProfile action is trying to read the Active Directory, so, you need to give it permissions or you will get an error.

clip_image001[10]

We’re done with the Azure management portal, now, grab the Client ID and Key value, and come back to the asp.net project, let’s update the web.config file with all the Identity providers and config.

In ConfigSections:


Add the ConnectionString. Here you can set a local DB value, and later, when you publish to Azure, Visual Studio will detect that you’re using a connection string, and will show you the assistant to connect to the SQL DB in Azure.


Note: If you try to connect to Azure SQL DB from Visual Studio, you probably will need to configure the Allowed IP Addresses. You have more info in this article: http://azure.microsoft.com/en-us/documentation/articles/web-sites-dotnet-deploy-aspnet-mvc-app-membership-oauth-sql-database/

Add these AppSettings, review all the values that comes from the config you’ve done in Azure portal:


Add:


Adding in System.Web

clip_image001[12]

Add (again, review all the values)


And that’s all !! remember to take care of all the URLs and IDs, but if you publish to Azure, you should get the Azure AD login page.

Extra ball !!

OK. You’ve done that, however, when you go to your home page, you find a redirect to the “old style” Forms authentication Login.aspx page… WTH !!

No panic, you’re not gonna believe the reason, but ensure you don’t have the WebMatrix.Data.dll in your BIN folder… yes! it’s true

image

I found the solution in this post:

http://blogs.catapultsystems.com/rhutton/archive/2012/07/20/mvc3-with-windows-authentication-redirected-to-accountlogin.aspx

Take care because you can remove the DLL from your project, but if it’s already in your Azure website, I suggest that you browse the BIN folder in the Azure site using Visual Studio Server explorer to ensure the DLL is not there (remove it manually if needed).

Hope it helps!!

Luis Manez

@luismanez