How to: Configure Trust Between ACS and ASP.NET Web Applications Using X.509 Certificates

Updated: June 19, 2015

Applies To: Azure

Applies To

  • Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS)

  • ASP.NET

Summary

This topic describes how to configure trust between your application and ACS. Trust is established by signing the tokens that are exchanged between your ASP.NET web application and ACS.

Contents

  • Objectives

  • Overview

  • Summary of steps

  • Step 1 – Navigate to the Token Signing Certificates Section

  • Step 2 - Configure Trust Using X.509 Certificates

  • Step 3 - Review Trust-Related Attributes in web.config and the ACS Management Portal

Objectives

  • Become familiar with the trust management section on the ACS Management Portal.

  • Manage trust using X.509 certificates.

  • Verify the required configuration in web.config and on the Management Portal.

Overview

Establishing trust is required to properly exchange tokens between your application and ACS. Trust ensures that the tokens are not tampered with in transit and that they are issued by a trusted party. For ASP.NET web applications trust is managed using X.509 certificates and is based on the configuration of the ACS Management Portal and the web.config configuration.

Summary of Steps

To establish and manage trust between an ASP.NET web application and ACS follow these steps:

  • Step 1 - Navigate to the Token Signing Certificates Section

  • Step 2 - Configure Trust Using X.509 Certificates

  • Step 3 - Review Trust-Related Attributes in web.config and the ACS Management Portal

Step 1 – Navigate to the Token Signing Certificates Section

This step shows how to navigate to the trust management section of the ACS Management Portal.

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  3. In the ACS portal, click Relying party applications.

  4. Click a relying party application.

  5. On the Edit Relying Party Application page, scroll down to the Token Signing Certificates section.

  6. Select a certificate.

Step 2 - Configure Trust Using X.509 Certificates

This step shows how to configure and manage the trust between ACS and an ASP.NET web application using an X.509 certificate. Use an X.509 certificate signing credential if you are using the Windows® Identity Foundation (WIF) in your relying party application.

To configure and manage trust using an X.509 certificate

  1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

  2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  3. Click Certificates and keys and then select an X.509 certificate.

  4. On the Edit Token Signing Certificate or Key page, provide the following values:

    • Name: An arbitrary name of your choice.

    • Type: X.509 Certificate.

    • Certificate: To use the certificate that ACS creates by default, no action is required. You can also upload your own X.509 certificate.

      The certificate should be password protected. It usually has a .pfx extension. when uploading your own X.509 certificate.Provide the pfx file password in the Password text box

    • Password: If you use the default certificate, no action is required. If you upload a certificate, the certificate should be password protected. Enter the .pfx file password in the Password text box.

  5. Click Save.

Get an X.509 Certificate

There are several ways to get an X.509 certificate for token signing or encryption. The method you will use depends on your requirements and the tools available to your organization.

Local Certification Authority

If your organization has deployed a certification authority (CA), such as Active Directory Certificate Services (AD CS), you can request an X.509 certificate. You might need to contact your certification authority administrator for instructions or permissions. For more information about Active  Directory Certificate Services, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=208371).

Commercial Certification Authority

You can purchase an X.509 certificate from a commercial certification authority, such as Verisign. Since this is a Labs release, it is recommended that you use your local certification authority (if available) or generate a self-signed certificate (see below).

Generate a Self-Signed Certificate

You can use software to generate your own self-signed certificate to use with ACS. While this is typically recommended only for testing purposes, this can be done by anyone without access to a local CA or payment to a commercial CA. If you are running Windows, you can download MakeCert.exe as part of the Windows SDK (https://go.microsoft.com/fwlink/?linkid=84091) and use this to generate a certificate.

Export a Self-Signed Certificate

For instructions on how to export a self-signed certificate, see Certificates and Keys.

This step shows how to validate trust-related configuration attributes in your ASP.NET web application’s web.config.

  1. Open the web.config file for your ASP.NET web application.

  2. Navigate to the audiencesUris node and verify that the value of its child add node is the same as that value that you entered in the Realm property field of the Edit Relying Party page of the ACS Management Portal.

    1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available)

    2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

    3. Click Relying party applications.

    4. On the Replying Party Applications page, click the desired application.

    5. On the Edit Relying Party Application page, review the Realm attribute.

See Also

Concepts

ACS How To's