Hosting ACS Application on multiple hosts

1
votes

I am using the Windows Azure ACS for building Single sign on application. I am using javascript/HTML to collect information from the user. The problem I am facing is that I need to host my application on different hosts, for example:

  • localhost
  • localhost:81
  • *.cloudapp.net
  • another internal host like http://helloacs/

I tried creating multiple Relying Applications for each of those hosts, but it worked only for localhost/localhost:81. My *.cloudapp.net relying party app is configured that way:

Name: *.cloudapp.net
Realm: *.cloudapp.net
Return URL: http://*.cloudapp.net/

My login page is building replyto url like this:

http://*.cloudapp.net/Login.aspx

This is my generated call to IdentityProviders.js:

https://*.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=*.cloudapp.net&reply_to=http://*.cloudapp.net/Login.aspx&version=1.0&callback=ShowSigninPage

After I navigate to the identity provider and login I get:

ACS30000: There was an error processing an OpenID sign-in response.

How can I get my application to work on multiple hosts if this is not the solution?

3
azureacs

3 Answers

3
votes

It is correct that you have create multiple Relying Applications for each of those hosts. However when you use the default passive federation with no custom code, the realm is hard coded in your web.config file like this:

  <microsoft.identityModel>
    <service>
     ..... 
     <audienceUris>
        <add value="http://localhost:4500/"/>
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" 
                      issuer="https://staykov.accesscontrol.windows.net/v2/wsfederation" 
                      realm="http://localhost:4500/"
                      requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>

If you want the same application to run at the same time under multiple host names, you have to add a little coding. If you need to just test same application under different domain - just change the realm in the web.config to the respective Relying party application address. You have to change the address in "audienceUris" section and the "realm" attribute in the "wsFederation" element. If the realm attribute is different than the domain your application runs, authentication will fail.

Check out this and that questions - both pointing to same documentation and samples how to change the realm, in case you want to serve your application under multiple domains. I will look over for more samples.

And look over here on how to change realm/return address/

1
votes

I was facing a similar issue like this. I had two RP, one using Windows Live Id and ADFS and the second using just ADFS. Both RP are pointing to the same cloud service, so when I went to https://orgB.myDomanin.com, I was redirected to ACS but was using the realm that I specified in the web.config, something like:

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgA.myDomain.com%2....

If I changed this manually like this:

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgB.myDomain.com%2

Works like it should.

Finally I found the solution in a Sandrino entry blog: http://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service, see 'Updating your realm' section. In case the blog is inaccessible I copy the code here, it has to be inside this method:

private void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
{
    // Get the request url.
    var request = HttpContext.Current.Request;
    var requestUrl = request.Url;

    // Build the realm url.
    var realmUrl = new StringBuilder();
    realmUrl.Append(requestUrl.Scheme);
    realmUrl.Append("://");
    realmUrl.Append(request.Headers["Host"] ?? requestUrl.Authority);
    realmUrl.Append(request.ApplicationPath);
    if (!request.ApplicationPath.EndsWith("/"))
        realmUrl.Append("/");
    e.SignInRequestMessage.Realm = realmUrl.ToString();
}
1
votes

Since the blog post is offline (and for some time), I'll post another answer here.

To configure multiple reply_to addresses for an ACS relying party, you need to use the API. (It is not possible to do from the web interface).

There is some example code you can use here: http://msdn.microsoft.com/en-us/library/windowsazure/hh135147.aspx#BKMK_5

You can also use FluentACS, which will make it a lot easier.