Windows Azure Acceleration Lab – Platform

In a bit of a rush I was informed, that I can get the chance to work in the Windows Azure Acceleration Lab. It was organized last week in Berlin on the Katharina-Heinroth-Ufer Street. My task was to work out a scenario for one of our projects, from which I would like to describe some parts here. First of all I have to tell you, that an event like that is great! The Office of the Microsoft looks brilliant and in the Lab you could have a one-to-one support by an Expert, and have a really focused way of solving a problem. Some of the great experts assisting me were Anton Staykov, Robert Eichenseer and Nikolas Tziolis.

To keep it short, one of the scenarios was to create a Sharepoint Online user and actively authenticate with it.

1. First of all I’ve created a SharePoint Online over here: http://msdn.microsoft.com/en-us/library/office/apps/fp179924%28v=office.15%29
2. Installed the Windows Azure Active Directory Module for Windows Powershell from here: http://technet.microsoft.com/library/jj151815.aspx
3. Created a sample app the way it was described here: http://code.msdn.microsoft.com/windowsazure/Write-Sample-App-for-79e55502
   It is mentioned there to run the powershell they provide. That is really important to get a privileged Service Principal – here the azure Component Administrator should be passed for the script. I’ve found some useful powershell cmdlets, which you won’t need if you run the script from them:

   Connect-MsolService
   
   New-MsolServicePrincipal -ServicePrincipalNames @("cpazureacctest") -AppPrincipalId "7829c758-2bef-43df-a685-717089474500" -DisplayName "Cp Azure Acc Test" -Type Symmetric -Usage Verify -StartDate "02/02/2012" -EndDate "11/11/2013"
   
   Get-MsolServicePrincipal
   
   Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName "User Account Administrator" -RoleMemberObjectId ec9161d0-2be9-4e1d-887e-c585fe30826f
   

4. You can get the federation metadata for your AAD by replacing yoursite.onmicrosoft.com in the following link: https://accounts.accesscontrol.windows.net/yoursite.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
5. Then I’ve been basing on the article of Wictor Wilen. You can download the sources of him however they only work in .NET 4.0, so there are some hacks needed to make it work with the new System.IdentityModel namespaces under .NET 4.5 which I describe in the next code segment. In the Wictor.Office365.MsOnlineClaimsHelper class the getResponse method works with constants, which are no longer available in the IdentityModel namespace, so we collected it by checking its metadata and the resulting code looks as follows:

   private string getResponse(string stsUrl, string realm)
   {
   
       RequestSecurityToken rst = new RequestSecurityToken
       {
           RequestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Issue",
           AppliesTo = new EndpointReference(realm),
           KeyType = "http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey",
           TokenType = "urn:oasis:names:tc:SAML:1.0:assertion"
       };
   
       WSTrustFeb2005RequestSerializer trustSerializer = new WSTrustFeb2005RequestSerializer();
   
       WSHttpBinding binding = new WSHttpBinding();
   
       binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
   
       binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
       binding.Security.Message.EstablishSecurityContext = false;
       binding.Security.Message.NegotiateServiceCredential = false;
   
       binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
   
       EndpointAddress address = new EndpointAddress(stsUrl);
   
       using (WSTrustFeb2005ContractClient trustClient = new WSTrustFeb2005ContractClient(binding, address))
       {
           trustClient.ClientCredentials.UserName.UserName = _username;
           trustClient.ClientCredentials.UserName.Password = _password;
           Message response = trustClient.EndIssue(
               trustClient.BeginIssue(
                   Message.CreateMessage(
                       MessageVersion.Default,
                       "http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue",
                       new RequestBodyWriter(trustSerializer, rst)
                   ),
                   null,
                   null));
           trustClient.Close();
           using (XmlDictionaryReader reader = response.GetReaderAtBodyContents())
           {
               return reader.ReadOuterXml();
           }
       }
   }
   

If I manage it, I would like be able to redirect to a SharePoint Site so that the user doesn’t need to log in, but there some further work is needed. If you can help me about it, please write a comment here!

Another interesting link where Vittorio Bertocci blogs hell a lot about Azure Active Directory, this post is my very favourite: http://www.cloudidentity.com/blog/2012/07/12/single-sign-on-with-windows-azure-active-directory-a-deep-dive-2/