MVC3 Custom Login Sample Readme
This sample illustrates how to have a custom login page (Home Realm Discovery page) in an ASP.NET MVC3 application that uses ACS. The code for this sample is in the
MVC3CustomSignInPage folder of the ACS 2.0 samples package.
To run this sample, you will need:
for more details. Note that it may be beneficial to walkthrough the Getting Started
sample before running this sample.
Configuring the Sample
The ACS configuration required for this sample can be performed using either the ACS management portal, or the ACS management service.
Option 1: Configuring via the ACS Management Portal
1. Open a browser and navigate to
http://windows.azure.com and sign in. From there, navigate to the
Service Bus, Access Control, and Caching section to configure your ACS service namespace. Once you have created a namespace, select it and click
Manage > Access Control Service at the top of the page. This should launch the following page in a new window:
The first step in configuring ACS is to establish relationships with the identity providers you would like the users of your website to use when logging in. To do this, click on the
Identity providers link and add any identity providers you would like to add (e.g. Google, Yahoo!, Facebook). For details on how to obtain the prerequisite keys for Facebook, see
How to configure Facebook as an Identity Provider.
When finished, click the
Home link in the left navigation menu of the page to return to the main page.
Next, register your application with ACS by creating a relying party application in ACS. Click the
Relying party applications link on the main page, then select
Add and enter the following information in the subsequent form. When complete, click the
Save button and then navigate back to the main page.
With your relying party application configured, it is now time to create the rules that determine the claims that ACS will issue to your application.
In this sample, we will pass through all the claims issued by the identity providers (Facebook, Yahoo, and Windows Live ID).
To do these, first click
Rule Groups from the main page, and click the Default rule group for ASPNET MVC3 Custom rule group.
At the bottom of the subsequent page, click the Generate link. Ensure that the three identity providers (Facebook, Yahoo, and Windows Live ID) are selected and click
With ACS now configured, open Visual Studio.
Option 2: Configuring via the ACS Management Service
The Visual Studio sample solution has a command line application called
ConfigureSample which uses the ACS Management Service and the common helpers defined in the
Common class library. This application can be used to configure your ACS service namespace for use with this sample.
Update the Common class library with information about your Service Namespace. Open
SamplesConfiguration.cs and enter your:
- ServiceNamespace -
This is the namespace used with ACS.
- ManagementServiceIdentityName -
This is a management service account’s Name
- ManagementServiceIdentityKey -
This is the password associated with the management service account.
- AcsHostUrl -
This is the host name of the ACS
In the ConfigureSample project open
Program.cs and enter your:
- applicationId -
This is your Facebook application’s Application Id
- applicationSecret -
This is your Facebook application’s Appication Secret
For details on how to get these keys, refer to
How to configure Facebook as an Identity Provider.
Run the ConfigureSample application in Visual Studio, which will configure ACS to run this sample.
Running the Sample
Open the sample in Visual Studio (Websites\MVC3CustomLogonPage\MVC3CustomLogonPage.sln).
You need to add ACS as the STS reference. Right click on the
MVCCustomSignInPage and select Add STS Reference from the context menu (shown below):
In the dialog, enter the root of the web application into the
Application URI field and click Next. For this sample this value is "http://localhost:64000/". Note: the trailing slash is important as it lines up with the values you entered in ACS for your relying party. The wizard will issue a
warning that your site isn't using SSL. Accept this warning by clicking the
Yes button, but remember that a production website should almost always be using SSL for these types of scenarios.
In the next window, select the Use Existing STS radio button, and enter the URI of the WS-Federation metadata published by your ACS Service Namespace. That URI may be found on the portal under “Application Integration".
If your Service Namespace is "mvc3samples", then the URI is "https:// mvc3samples.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml". Once you have entered this value, click
Since your website isn't requiring encrypted tokens, click
Next on the remaining dialogs and then Finish.
At this point, your application is configured to use ACS with the ASP .NET blanket resource protection. We need to disable this protection so that we can use our own custom logon page with more granular MVC3 authentication filters.
In the web.config file, under
configuration delete the following setting:
<allow users="*" />
Under the system.web delete the following setting:
<deny users="?" />
With these 2 settings removed, ASP .NET is not doing any authentication and authorization on our behalf.
Press F5 in Visual Studio to run the application. Your browser will take you to the main page of the application which will appear similar to:
Click the Sign In link in the upper-right corner, and select an identity provider from the list that appears. After authenticating, you will return back to the Home page and your user information will be displayed
in the upper-right corner (note that Windows Live ID will not provide a user name).
Click Log Off to log off. This will clear the session cookies and return you back to main page.
Now click to Directory link. Since you are no longer authenticated, you will be asked to pick an identity provider to access the Directory page.
This is because the Directory page (Index in DirectoryController) is protected via the RequireAuthenticationAttribute. Once you pick an identity provider and authenticate, you will be directed back to the Directory