How to: Configure Trust Between ACS and ASP.NET Web Applications Using X.509 Certificates
Updated: June 19, 2015
Applies To: Azure
Applies To
Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS)
ASP.NET
Summary
This topic describes how to configure trust between your application and ACS. Trust is established by signing the tokens that are exchanged between your ASP.NET web application and ACS.
Contents
Objectives
Overview
Summary of steps
Step 1 – Navigate to the Token Signing Certificates Section
Step 2 - Configure Trust Using X.509 Certificates
Step 3 - Review Trust-Related Attributes in web.config and the ACS Management Portal
Objectives
Become familiar with the trust management section on the ACS Management Portal.
Manage trust using X.509 certificates.
Verify the required configuration in web.config and on the Management Portal.
Overview
Establishing trust is required to properly exchange tokens between your application and ACS. Trust ensures that the tokens are not tampered with in transit and that they are issued by a trusted party. For ASP.NET web applications trust is managed using X.509 certificates and is based on the configuration of the ACS Management Portal and the web.config configuration.
Summary of Steps
To establish and manage trust between an ASP.NET web application and ACS follow these steps:
Step 1 - Navigate to the Token Signing Certificates Section
Step 2 - Configure Trust Using X.509 Certificates
Step 3 - Review Trust-Related Attributes in web.config and the ACS Management Portal
Step 1 – Navigate to the Token Signing Certificates Section
This step shows how to navigate to the trust management section of the ACS Management Portal.
To navigate to the section related to trust management on the Management Portal
Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)
To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)
In the ACS portal, click Relying party applications.
Click a relying party application.
On the Edit Relying Party Application page, scroll down to the Token Signing Certificates section.
Select a certificate.
Step 2 - Configure Trust Using X.509 Certificates
This step shows how to configure and manage the trust between ACS and an ASP.NET web application using an X.509 certificate. Use an X.509 certificate signing credential if you are using the Windows® Identity Foundation (WIF) in your relying party application.
To configure and manage trust using an X.509 certificate
Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)
To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)
Click Certificates and keys and then select an X.509 certificate.
On the Edit Token Signing Certificate or Key page, provide the following values:
Name: An arbitrary name of your choice.
Type: X.509 Certificate.
Certificate: To use the certificate that ACS creates by default, no action is required. You can also upload your own X.509 certificate.
The certificate should be password protected. It usually has a .pfx extension. when uploading your own X.509 certificate.Provide the pfx file password in the Password text box
Password: If you use the default certificate, no action is required. If you upload a certificate, the certificate should be password protected. Enter the .pfx file password in the Password text box.
Click Save.
Get an X.509 Certificate
There are several ways to get an X.509 certificate for token signing or encryption. The method you will use depends on your requirements and the tools available to your organization.
Local Certification Authority
If your organization has deployed a certification authority (CA), such as Active Directory Certificate Services (AD CS), you can request an X.509 certificate. You might need to contact your certification authority administrator for instructions or permissions. For more information about Active Directory Certificate Services, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=208371).
Commercial Certification Authority
You can purchase an X.509 certificate from a commercial certification authority, such as Verisign. Since this is a Labs release, it is recommended that you use your local certification authority (if available) or generate a self-signed certificate (see below).
Generate a Self-Signed Certificate
You can use software to generate your own self-signed certificate to use with ACS. While this is typically recommended only for testing purposes, this can be done by anyone without access to a local CA or payment to a commercial CA. If you are running Windows, you can download MakeCert.exe as part of the Windows SDK (https://go.microsoft.com/fwlink/?linkid=84091) and use this to generate a certificate.
Export a Self-Signed Certificate
For instructions on how to export a self-signed certificate, see Certificates and Keys.
Step 3 - Review Trust-Related Attributes in web.config and the ACS Management Portal
This step shows how to validate trust-related configuration attributes in your ASP.NET web application’s web.config.
To verify trust-related configurations in your ASP.NET web application web.config
Open the web.config file for your ASP.NET web application.
Navigate to the audiencesUris node and verify that the value of its child add node is the same as that value that you entered in the Realm property field of the Edit Relying Party page of the ACS Management Portal.
Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)
To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)
Click Relying party applications.
On the Replying Party Applications page, click the desired application.
On the Edit Relying Party Application page, review the Realm attribute.