Right now the tokens issued by Windows Azure AD in Web sign-on flows do not contain groups or role claims. In this post I will show you how to leverage the Graph API and the WIF extensibility model to work around the limitation; I will also take advantage of this opportunity to go a bit deeper in the use of the Graph API, which means that the post will be longer (and at times more abstract) than a simple code walkthrough. As usual, those are my personal musings and my own opinions. I am writing this on a Saturday night (morning?) hence I plan to have fun with this \ud83d\ude42 For the ones among you who are in a hurry or have low tolerance for logorrhea, please feel free to head to the product documentation on MSDN. <\/p>\n
Bird\u2019s Eye View of the Solution<\/h1>\n
Most pre-claims authorization constructs in ASP.NET are based on the idea of roles baked in IPrincipal: namely, I am thinking of the <authorization> config element, the [Authorize] attribute and of course the IsInRole() method. There\u2019s an enormous amount of existing code based on those primitives, and abundant literature using those as the backbone of authorization enforcement in .NET applications. As mentioned in the opening, right now Windows Azure AD does not send anything that can be interpreted as a role claim. The good news, however, is that Windows Azure AD offers the Graph API, a complete API for querying the directory and retrieve any information stored there, for any user; that includes the signed-in user, of course, and the roles he\/she belongs to. If you need to know what roles your user is in, all you need to do (over-simplifying a bit, for now) is to perform a GET on a resource of the form https:\/\/graph.windows.net\/yourtenant.onmicrosoft.com\/Users(‘guido@yourtenantname.onmicrosoft.com’)\/MemberOf<\/a>. That is pretty sweet, and in fact is just a ridiculously tiny sliver of all the great things you can do with the Graph API; however, if you\u2019d do this from your application code that would not help you to leverage the user\u2019s role information from <authorization> and the like. When you are in your application\u2019s code is kind of too late, as the ClaimsPrincipal representing the caller has already been assembled and that\u2019s where the info should be for those lower-level mechanisms to kick in. True, you could do something to the ClaimsPrincipal retroactively, but that\u2019s kind of brittle and messy.<\/p>\n There is another solution here, which can save both goat and cabbage (can you really say this in English?:-)). The WIF processing pipeline offers plenty of opportunities for you to insert custom logic for influencing how the token validation and ClaimsPrincipal creation takes place: details in Chapter 3 of Programming WIF<\/a>. Namely, there is one processing stage that is dedicated to incoming claims processing. Say that you have logic for filtering incoming claims, modifying them or extending the claims set you are getting from the STS with data from other sources. All you need to do is to derive from the ClaimsAuthenticationManager class, override the Authenticate method and add a reference to your custom class in the application\u2019s config. The code of custom ClaimsAuthenticationManager is going to be pretty simple, also thanks to the use of AAL for obtaining the necessary access token: just a tad more than 30 lines, and most of it string manipulation. In my experience, the thing that people often find tricky is the work that is necessary for enabling your Web application to invoke the Graph; furthermore, even if AAL reduces to a mere 3 the lines of code necessary for obtaining an access token, the structure of the parameters you need to pass is not always immediately clear to everybody. Here I\u2019ll do my best to explain both: they are not especially hard and I am confident you\u2019ll grok it right away. That said, I do hope we\u2019ll manage to automate A LOT of this so that in the future you won\u2019t be exposed to this complexity unless you want to change the defaults. We kind of already do this for the Web SSO part, if you use the MVC tool<\/a> you can get a functioning MVC4 app which uses Windows Azure AD for Web SSO in no time. In fact, in this post I\u2019ll use such an app as starting point.<\/p>\n Ready? Let\u2019s dive.<\/p>\n Let\u2019s get this immediately out of the way; also, it will provide structure for the rest of the work.<\/p>\n As mentioned, I assume you already have an MVC4 app that you configured with the MVC tool to integrate with your Windows Azure AD tenant for sign-in. If you didn\u2019t do it yet, please head to this page<\/a> now and follow the instructions for configuring your application. You can skip the publication to Windows Azure Web Sites, for this post we\u2019ll be able to do everything on the local box. If you want to see the tool in action, check out this BUILD talk<\/a>. This is pretty much the default ClaimsAuthenticationManager implementation: it passes through all the incoming claims to the next stage undisturbed. Our job will be to fill in the method\u2019s body following the comment placeholders I wrote there. You can make your application pick up and execute your class by adding a reference to the class library project and inseriting the proper config element to the web.config, as shown below (sci-fi formatting, you would not break strings IRL).<\/p>\n I\u2019d suggest hitting F5 and see if everything still works, often something silly like misspelled namespaces in the type attribute will create stumble points and you want to catch that before there will be more moving parts later on.<\/p>\n Alrighty, now for the first interesting part.<\/p>\n The next thing we need to do is enabling your MVC application to call back into the Graph and inquiry about the user\u2019s roles. But in order to do that, we first need to understand how our MVC application is represented in Windows Azure AD and what do we need to change.<\/p>\n When you run the MVC tool<\/a> for enabling Windows Azure authentication you are basically getting lots of the steps I described here<\/a> done for you. As a quick recap, the tool<\/p>\n \u2026and that\u2019s what enables you to hit F5 right after the wizard and see the SSO flow unfold in front of your very eyes, without the need of writing any code. Veeery nice. I guess you are starting to figure out what\u2019s the plan here. We want to use the app\u2019s ServicePrincipal credentials (in trusted subsystem fashion) to obtain a token for calling the Graph. That\u2019s a fine plan, but it cannot be implemented without a bit more work. Namely:<\/p>\n Luckily it\u2019s all pretty straightforward. The first thing we need to do is to retrieve a valid identifier for the ServicePrincipal, so that we can get a hold on it and modify it. That is pretty easy to do. Go to the app\u2019s web.config, in the <system.identityModel> sections, and you\u2019ll find the AppPrincipalId GUID in multiple places: in the identityConfiguration\/audienceUris or in the realm property of the system.identityModel.services\/federationConfiguration\/wsFederation element. Put it in the clipboard (without the \u201cSPN:\u201d!) and open the O365 PowerShell cmdlets prompt. Then, consider the following script. The formatting is all broken, of course: keep an eye on the line numbers for understanding where the actual line breaks are.<\/p>\n <\/p>\n Line by line:<\/p>\n Line 1: connect to the tenant. You\u2019ll be prompted for your admin user, make sure you choose the same tenant you have used to configure the MVC app \ud83d\ude42<\/p>\n Line 2: it imports the O365 cmdlets, and specifically the ones about ServicePrincipals. The \u201cforce\u201d flag is mandatory on Win8 boxes.<\/p>\n Line 3: I assign the AppPrincipalId from the web.config so I don\u2019t have to paste it every time.<\/p>\n Line 4: retrieve the ServicePrincipal<\/p>\n Line 5: add it to the \u201cDirectory Readers\u201d role<\/p>\n Lines 7 and 8: get the current date and the date one year from now, to establish the valitity bopundaries of the credentials we are going to assign to the ServicePrincipal<\/p>\n Line 9: create a new ServicePrincipalCredential of type symmetric key (there are other flavors, like certificate based creds) and assign it to the app\u2019s ServicePrincipal<\/p>\n<\/blockquote>\n Simple, right? Well, I have to thank Mugdha Kulkarni<\/strong> from the Graph team for this script. She wrote it for me while I was prepping for the BUILD talk, though in the end I decided I didn\u2019t have enough time to show it on stage. Thank you Mugdha, told you this was going to come in handy! \ud83d\ude09<\/p>\n Anyway, we\u2019ve done our first task: our app has now the right to invoke the Graph. Let\u2019s get back to the GraphClaimsAuthenticationManager and write some code to exercise that right.<\/p>\n Get back to VS and paste the following at the beginning of the if block in the Authenticate method:<\/p>\n That is pretty scrappy code, I\u2019ll readily admit. The first 2 lines hold the app\u2019s ServicePrincipal id and key, respectively. I could have retrieved it from the config, but if I do everything how are you going to have fun? \ud83d\ude09
This state of affair was well known to the designer of the original WIF 1.0, who provided mechanisms for projecting claims with the appropriate semantic (and specifically http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role<\/a>) as roles in IPrincipal. We even have a mechanism<\/a> which allows you to specify in config a different, arbitrary claim type to be interpreted as role, should your STS use a different claim type to express roles.<\/p>\n
So, the solution I propose is simple: we can create a custom ClaimsAuthenticationManager that at sign-in time reaches back to the Graph, retrieves the roles information, creates roles claims accordingly and adds them to the ClaimsPrincipal. Everything else downstream from that will be able to see the roles information just like if they would have been originally issued by the STS.<\/p>\n![\"image\"](\"http:\/\/cloudidentity.com\/blog\/wp-content\/uploads\/2013\/01\/3618.image_5F00_61B0D80F.png\" "\\"image\\"")
<\/a> <\/p>\nPrepping the GraphClaimsAuthenticationManager Wireframe<\/h1>\n
Create a new class library (though you could just add a class to your web project) and call it something meaningful: I called mine GraphClaimsAuthenticationManager<\/strong>.
Add a reference to System.IdentityModel, rename the class1.cs file to GraphClaimsAuthenticationManager.cs, then change the code as follows:<\/p>\n 1: <\/span>public<\/span> class<\/span> GraphClaimsAuthenticationManager : ClaimsAuthenticationManager<\/pre>\n 2: <\/span>{<\/pre>\n 3: <\/span> public<\/span> override<\/span> ClaimsPrincipal <\/pre>\n Authenticate(string<\/span> resourceName, ClaimsPrincipal incomingPrincipal)<\/pre>\n 4: <\/span> {<\/pre>\n 5: <\/span> if<\/span> (incomingPrincipal != null<\/span> && <\/pre>\n incomingPrincipal.Identity.IsAuthenticated == true<\/span>)<\/pre>\n 6: <\/span> { <\/pre>\n 7: <\/span> \/\/ get a token for calling the Graph<\/span><\/pre>\n 8: <\/span> <\/pre>\n 9: <\/span> \/\/ query the Graph for the current user's memberships<\/span><\/pre>\n 10: <\/span> <\/pre>\n 11: <\/span> \/\/ add a role claim for every membership found<\/span><\/pre>\n 12: <\/span> <\/pre>\n 13: <\/span> }<\/pre>\n 14: <\/span> return<\/span> incomingPrincipal;<\/pre>\n 15: <\/span> } <\/pre>\n 16: <\/span>}<\/pre>\n<\/div>\n <<\/span>system.identityModel<\/span>><\/span>\n <<\/span>identityConfiguration<\/span>><\/span>\n <<\/span>claimsAuthenticationManager<\/span>
type<\/span>="GraphClaimsAuthenticationManager.GraphClaimsAuthenticationManager,
GraphClaimsAuthenticationManager"<\/span> \/><\/span><\/pre>\nEnabling An MVC App to Invoke the Graph API<\/h1>\n
\n
\n
Now, from the above you might be tempted to think that a ServicePrincipal is the equivalent of a RP role in ACS: an entry which represents an entity meant to be a token recipient<\/em>. In fact, a ServicePrincipal can represent more roles than a simple RP: for example, an ServicePrincipal can also represent an applicative identity, with its own associated credential, whihc can be used for obtaining<\/em> a token to be used somewhere else. Remember ACS\u2019 service identities? That\u2019s kind of the same thing.<\/p>\n\n
1: <\/span>Connect-MsolService<\/font><\/pre>\n 2: <\/span>Import-Module<\/font> msonlineextended -Force<\/pre>\n 3: <\/span>$AppPrincipalId<\/font> = '62b4b0eb-ef3e-4c28-7777-2c7777776593'<\/span><\/pre>\n 4: <\/span>$servicePrincipal<\/font> = <\/pre>\n (Get-MsolServicePrincipal<\/font> -AppPrincipalId $AppPrincipalId<\/font>)<\/pre>\n
5: <\/span>Add-MsolRoleMember<\/font> -RoleMemberType "ServicePrincipal"<\/span> <\/pre>\n -RoleName "Directory Readers"<\/span> <\/pre>\n -RoleMemberObjectId $servicePrincipal<\/font>.ObjectId<\/pre>\n
6: <\/span> <\/pre>\n 7: <\/span>$timeNow<\/font> = Get-Date<\/font><\/pre>\n 8: <\/span>$expiryTime<\/font> = $timeNow<\/font>.AddYears(1)<\/pre>\n 9: <\/span>New-MsolServicePrincipalCredential<\/font> <\/pre>\n -AppPrincipalId $AppPrincipalId<\/font> <\/pre>\n
-Type symmetric <\/pre>\n
-StartDate $timeNow<\/font> <\/pre>\n
-EndDate $expiryTime<\/font> <\/pre>\n
-Usage Verify <\/pre>\n
-Value AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\/Q8=<\/pre>\n<\/div>\n
\n
Using AAL to Obtain an Access Token for the Graph API<\/h1>\n
1: <\/span>string<\/span> appPrincipalID = "62b4b0eb-ef3e-4c28-7777-2c7777776593"<\/span>;<\/pre>\n 2: <\/span>string<\/span> appKey = "AAAAAAAAAAAAAAAAAAAAAAAAAAAA\/Q8="<\/span>;<\/pre>\n 3: <\/span> <\/pre>\n 4: <\/span>string<\/span> upn = incomingPrincipal.FindFirst(<\/pre>\n "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/upn"<\/span>).Value;<\/pre>\n 5: <\/span>string<\/span> tenantID = incomingPrincipal.FindFirst(<\/pre>\n "http:\/\/schemas.microsoft.com\/ws\/2012\/10\/identity\/claims\/tenantid"<\/span>).Value;<\/pre>\n<\/div>\n
\n
The next 2 lines retrieve the UPN of the incoming user (\u201cusername@domain<\/a>\u201d) and the ID of the directory tenant from where he\/she is coming from, both very important values for crafting our query.<\/p>\n