Windows Azure Acceleration Lab – Platform

In a bit of a rush I was informed, that I can get the chance to work in the Windows Azure Acceleration Lab. It was organized last week in Berlin on the Katharina-Heinroth-Ufer Street. My task was to work out a scenario for one of our projects, from which I would like to describe some parts here. First of all I have to tell you, that an event like that is great! The Office of the Microsoft looks brilliant and in the Lab you could have a one-to-one support by an Expert, and have a really focused way of solving a problem. Some of the great experts assisting me were Anton Staykov, Robert Eichenseer and Nikolas Tziolis.

To keep it short, one of the scenarios was to create a Sharepoint Online user and actively authenticate with it.

  1. First of all I’ve created a SharePoint Online over here: http://msdn.microsoft.com/en-us/library/office/apps/fp179924%28v=office.15%29
  2. Installed the Windows Azure Active Directory Module for Windows Powershell from here: http://technet.microsoft.com/library/jj151815.aspx
  3. Created a sample app the way it was described here: http://code.msdn.microsoft.com/windowsazure/Write-Sample-App-for-79e55502
    It is mentioned there to run the powershell they provide. That is really important to get a privileged Service Principal – here the azure Component Administrator should be passed for the script. I’ve found some useful powershell cmdlets, which you won’t need if you run the script from them:

    Connect-MsolService
    
    New-MsolServicePrincipal -ServicePrincipalNames @("cpazureacctest") -AppPrincipalId "7829c758-2bef-43df-a685-717089474500" -DisplayName "Cp Azure Acc Test" -Type Symmetric -Usage Verify -StartDate "02/02/2012" -EndDate "11/11/2013"
    
    Get-MsolServicePrincipal
    
    Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName "User Account Administrator" -RoleMemberObjectId ec9161d0-2be9-4e1d-887e-c585fe30826f
    

  4. You can get the federation metadata for your AAD by replacing yoursite.onmicrosoft.com in the following link: https://accounts.accesscontrol.windows.net/yoursite.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
  5. Then I’ve been basing on the article of Wictor Wilen. You can download the sources of him however they only work in .NET 4.0, so there are some hacks needed to make it work with the new System.IdentityModel namespaces under .NET 4.5 which I describe in the next code segment. In the Wictor.Office365.MsOnlineClaimsHelper class the getResponse method works with constants, which are no longer available in the IdentityModel namespace, so we collected it by checking its metadata and the resulting code looks as follows:
    private string getResponse(string stsUrl, string realm)
    {
    
        RequestSecurityToken rst = new RequestSecurityToken
        {
            RequestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Issue",
            AppliesTo = new EndpointReference(realm),
            KeyType = "http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey",
            TokenType = "urn:oasis:names:tc:SAML:1.0:assertion"
        };
    
        WSTrustFeb2005RequestSerializer trustSerializer = new WSTrustFeb2005RequestSerializer();
    
        WSHttpBinding binding = new WSHttpBinding();
    
        binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
    
        binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
        binding.Security.Message.EstablishSecurityContext = false;
        binding.Security.Message.NegotiateServiceCredential = false;
    
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
    
        EndpointAddress address = new EndpointAddress(stsUrl);
    
        using (WSTrustFeb2005ContractClient trustClient = new WSTrustFeb2005ContractClient(binding, address))
        {
            trustClient.ClientCredentials.UserName.UserName = _username;
            trustClient.ClientCredentials.UserName.Password = _password;
            Message response = trustClient.EndIssue(
                trustClient.BeginIssue(
                    Message.CreateMessage(
                        MessageVersion.Default,
                        "http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue",
                        new RequestBodyWriter(trustSerializer, rst)
                    ),
                    null,
                    null));
            trustClient.Close();
            using (XmlDictionaryReader reader = response.GetReaderAtBodyContents())
            {
                return reader.ReadOuterXml();
            }
        }
    }
    

If I manage it, I would like be able to redirect to a SharePoint Site so that the user doesn’t need to log in, but there some further work is needed. If you can help me about it, please write a comment here!

Another interesting link where Vittorio Bertocci blogs hell a lot about Azure Active Directory, this post is my very favourite: http://www.cloudidentity.com/blog/2012/07/12/single-sign-on-with-windows-azure-active-directory-a-deep-dive-2/

Advertisements

About Tamas Nemeth

Husband and proud father of two daughters in Nürnberg. I'm working as a Senior Software Developer and an enthusiastic Clean-Coder. I spend most of my free time with my family (playing, hiking, etc...). I also play table-tennis and badminton sometimes...
This entry was posted in Technical Interest and tagged , , , , , . Bookmark the permalink.

4 Responses to Windows Azure Acceleration Lab – Platform

  1. Anonymous says:

    Hey very nice blog!

  2. Wordy App says:

    Hey, you used to write wonderful, but the last few posts have been kinda boring… I miss your tremendous writings. Past few posts are just a little out of track! come on!

    • Tamas Nemeth says:

      Sorry Wordy App!

      I’m using this Blog also as a reference for myself. Not to forget stuff what I did :). In my professional life I don’t only face cool things – that’s it :) I would love to, but sadly not…

  3. I want to to thank you for this good read!! I absolutely
    loved every little bit of it. I have got you bookmarked to look
    at new things you post…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s