Code Sample: ASP.NET MVC 4 with Federated Sign-out
Updated: June 19, 2015
Applies To: Azure
This sample illustrates how to integrate Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) with an ASP.NET MVC 4 application. ACS integration enables single sign-on and single sign-out features for supported identity providers in an ASP.NET MVC 4 application.
The code for this sample is located in the ASPNETSimpleMVC4 (C#\Websites\ASPNETSimpleMVC4) subdirectory of the Microsoft Azure Active Directory Access Control (ACS) Code Samples package.
For more information about the single sign-out feature in ACS, see Single sign-out.
Prerequisites
To run this sample, you will need:
An account in the Azure portal (https://go.microsoft.com/fwlink/?LinkID=275081) and an Access Control namespace. This sample uses an Access Control namespace called acssamples. Your namespace name can be different.
For more information about creating an Access Control namespace, see How to: Create an Access Control Namespace.
Visual Studio 2012
Identity and Access Tool for Visual Studio 2012 (https://msdn.microsoft.com/library/hh545418.aspx)
For more information, see ACS Prerequisites.
Configuring the Sample
You can use the ACS Management Portal or the ACS Management Service to configure this sample. This topic describes both options.
Option 1: Using the ACS Management Portal
Option 2: Using the ACS Management Service
Option 1: Using the ACS Management Portal
To configure the sample using the ACS Management Portal
Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)
To create an Access Control namespace, click New, click App Services, click Access Control, and then click Quick Create. (Or, click Access Control Namespaces before clicking New.)
To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)
The ACS Management Portal opens.
To allow users of your application to login with their Google or Yahoo! identities, click Identity providers, click Add and then add Google and Yahoo!.
For instructions, see Google as an ACS Identity Provider and Yahoo! as an ACS Identity Provider. Windows Live ID (Microsoft account) is added by default and cannot be deleted.
To register your application with ACS, click Relying party applications, click Add, enter the following information in the form, and then click Save.
In the Name field, enter ASPNETMVC4Sample.
In the Realm field, enter https://localhost:65000/
In the Return URL field, enter https://localhost:65000/
In the Error URL field, enter https://localhost:65000/Error
In the Token format field, select SAML 2.0.
In the Token signing field, select Use service namespace certificate (standard).
For information about the fields and values on the Add Relying Party Application page, see Relying Party Applications.
To create a rule group that sends all claims issued by the identity providers to the relying party application, click Rule groups, click Default Rule Group for ACS Simple MVC4 Sample, and click Generate, and then clidk Save.
The Rule groups section of the ACS portal create the rules that determine which claims ACS sends to your application. By selecting all generated rules, you configure ACS to send pass all claims issued by the identity providers to the relying party application.
The sample is now configured and ready to run in Visual Studio 2012.
Option 2: Using the ACS Management Service
The Visual Studio sample solution has a console application called ConfigureSample that uses the ACS Management Service and the common helpers defined in the Common class library. You can use this application to configure your Access Control namespace for use with this sample.
To configure the sample using the ACS Management Service
To configure the sample, open SamplesConfiguration.cs (acs\Management\ManagementService\Common). Replace the placeholders in the SamplesConfiguration class in the Common class library with information about your Access Control namespace. You can find the information in the ACS Management Portal.
To navigate to the ACS Management Portal: Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available) To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)
ServiceNamespace - Enter the name of your Access Control namespace.
ManagementServiceIdentityName - Enter the name of an ACS management service account. The default is ManagementClient.
To find the management service account name, in the ACS Management Portal, click Management service. The accounts are listed by name under Management Service Accounts.
ManagementServiceIdentityKey - Enter the password for the management service account.
To find the management service account password, in the ACS Management Portal, click Management service. Click the name of a management service account, and then, under Credentials, click Password. The password appears in the Password field. To copy the password, click Show Password.
Run the ConfigureSample application in Visual Studio. The application uses the data in SamplesConfiguration.cs to configure ACS to run the sample.
Running the Sample
To run the sample
Open the solution file for the sample, ASPNETSimpleMVC4.sln (C#\Websites\ASPNETSimpleMVC4\), in Visual Studio 2012.
Right-click the project and select Identity and Access from the context menu.
Select Use the Azure Access Control Service.
Next to Select one or more providers ... click Configure.
Enter your Access Control namespace and management service account password.
Select one or more identity providers from the list.
The identity providers that appear are those that you added when you configured the sample in the ACS portal or the ACS management service.
Your relying party application is now configured to use ACS.
Press F5 to run the application. Your browser is directed to the ACS Home Realm Discovery page.
Click Google. Your browser is redirected to a Google sign-in page.
Enter the credentials of a Google account and decline the user consent form.
Your browser is redirected to https://localhost:65000/. Notice that your Google username appears in the top left corner of the page. This indicates that you are signed into the relying party application.To sign-out of the relying party application, click the Sign-out link. Notice that you are no longer authenticated.
See Also
Concepts
How to: Create an Access Control Namespace
ACS Management Service