MVC3 Custom Login Sample Readme

This sample illustrates how to have a custom login page (Home Realm Discovery page) in an ASP.NET MVC3 application that uses ACS. The code for this sample is in the MVC3CustomSignInPage folder of the ACS 2.0 samples package.

Prerequisites

To run this sample, you will need:

See Prerequisites for more details. Note that it may be beneficial to walkthrough the Getting Started sample before running this sample.

Configuring the Sample

The ACS configuration required for this sample can be performed using either the ACS management portal, or the ACS management service.

Option 1: Configuring via the ACS Management Portal

1. Open a browser and navigate to http://windows.azure.com and sign in. From there, navigate to the Service Bus, Access Control, and Caching section to configure your ACS service namespace. Once you have created a namespace, select it and click Manage > Access Control Service at the top of the page. This should launch the following page in a new window:

2. The first step in configuring ACS is to establish relationships with the identity providers you would like the users of your website to use when logging in. To do this, click on the Identity providers link and add any identity providers you would like to add (e.g. Google, Yahoo!, Facebook). For details on how to obtain the prerequisite keys for Facebook, see How to configure Facebook as an Identity Provider.

  

When finished, click the Home link in the left navigation menu of the page to return to the main page.

3. Next, register your application with ACS by creating a relying party application in ACS. Click the Relying party applications link on the main page, then select Add and enter the following information in the subsequent form. When complete, click the Save button and then navigate back to the main page.

With your relying party application configured, it is now time to create the rules that determine the claims that ACS will issue to your application.

4. In this sample, we will pass through all the claims issued by the identity providers (Facebook, Yahoo, and Windows Live ID). To do these, first click Rule Groups from the main page, and click the Default rule group for ASPNET MVC3 Custom rule group. 

5. At the bottom of the subsequent page, click the Generate link. Ensure that the three identity providers (Facebook, Yahoo, and Windows Live ID) are selected and click Generate.

6. With ACS now configured, open Visual Studio.

Option 2: Configuring via the ACS Management Service

The Visual Studio sample solution has a command line application called ConfigureSample which uses the ACS Management Service and the common helpers defined in the Common class library. This application can be used to configure your ACS service namespace for use with this sample.  

1. Update the Common class library with information about your Service Namespace. Open SamplesConfiguration.cs and enter your:

  • ServiceNamespace - This is the namespace used with ACS.
  • ManagementServiceIdentityName - This is a management service account’s Name
  • ManagementServiceIdentityKey - This is the password associated with the management service account.
  • AcsHostUrl - This is the host name of the ACS

2. In the ConfigureSample project open Program.cs and enter your: 

  • applicationId - This is your Facebook application’s Application Id
  • applicationSecret - This is your Facebook application’s Appication Secret

    For details on how to get these keys, refer to How to configure Facebook as an Identity Provider.

3. Run the ConfigureSample application in Visual Studio, which will configure ACS to run this sample.

Running the Sample

1. Open the sample in Visual Studio (Websites\MVC3CustomLogonPage\MVC3CustomLogonPage.sln).

2. You need to add ACS as the STS reference. Right click on the MVCCustomSignInPage and select Add STS Reference from the context menu (shown below):

3. In the dialog, enter the root of the web application into the Application URI field and click Next. For this sample this value is "http://localhost:64000/". Note: the trailing slash is important as it lines up with the values you entered in ACS for your relying party. The wizard will issue a warning that your site isn't using SSL. Accept this warning by clicking the Yes button, but remember that a production website should almost always be using SSL for these types of scenarios.

4. In the next window, select the Use Existing STS radio button, and enter the URI of the WS-Federation metadata published by your ACS Service Namespace. That URI may be found on the portal under “Application Integration". If your Service Namespace is "mvc3samples", then the URI is "https:// mvc3samples.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml". Once you have entered this value, click Next.

5. Since your website isn't requiring encrypted tokens, click Next on the remaining dialogs and then Finish.

6. At this point, your application is configured to use ACS with the ASP .NET blanket resource protection. We need to disable this protection so that we can use our own custom logon page with more granular MVC3 authentication filters.

In the web.config file, under configuration delete the following setting:

<location path="FederationMetadata">
   <system.web>
     <authorization>
       <allow users="*" />
     </authorization>
   </system.web>
</location>

7. Under the system.web delete the following setting:

<authorization>
     <deny users="?" />
   </authorization>
 

With these 2 settings removed, ASP .NET is not doing any authentication and authorization on our behalf.

8. Press F5 in Visual Studio to run the application. Your browser will take you to the main page of the application which will appear similar to:

9. Click the Sign In link in the upper-right corner, and select an identity provider from the list that appears. After authenticating, you will return back to the Home page and your user information will be displayed in the upper-right corner (note that Windows Live ID will not provide a user name).

10. Click Log Off to log off. This will clear the session cookies and return you back to main page.

11. Now click to Directory link. Since you are no longer authenticated, you will be asked to pick an identity provider to access the Directory page.

This is because the Directory page (Index in DirectoryController) is protected via the RequireAuthenticationAttribute. Once you pick an identity provider and authenticate, you will be directed back to the Directory page.

Last edited Apr 13, 2011 at 4:13 PM by asmalser, version 5

Comments

mercjr Sep 22, 2011 at 7:19 PM 
i see the sample uses <httpRuntime requestValidationMode="2.0"/>. I am able to get my code to work with downgraded validation as well. Any idea why creating a custom validator with <httpRuntime requestValidationType=""/> doesnt work with MVC3 but it does with webforms? The kind of request validator i am talking about is described here:
http://www.leastprivilege.com/WIFASPNET40AndRequestValidation.aspx

slickjuanito Jun 20, 2011 at 5:52 PM 
Alright, now I tried again and it showed I was already signed in... I commented out this: '<authentication mode="None" />' from <system.web> and that's how i got it to pull through. However, it wouldn't sign me out. So I added that tag again and it now works as it should. Any ideas on why it behaved in such manner?

slickjuanito Jun 20, 2011 at 5:40 PM 
I keep getting an error after I sign into the sample application with any of the Identity Providers. The request gets routed but it's aborted before anything can load. Doesn't throw exceptions and there is no clear reason for it. Any ideas?