Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 3

Before proceeding with further reading, review the following previous posts:

• Securing Windows Azure Distributed Application Using AppFabric Access Control Service (ACS) v2 – Scenario and Solution Approach
• Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 1
• Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 2

In this post I will show how to publish your ASP.NET web application and how to configure it to keep federated authentication with ACS v 2.0 functional when running in Windows Azure production environment.

Step 5 – Deploy your solution to Windows Azure

Content in this step adopted and adapted from Code Quick Launch: Create and deploy an ASP.NET application in Windows Azure.

In this step you will deploy the application to the cloud using the Windows Azure management portal. First you’ll need to create a service and a service configuration file, called service package, and then upload it to Windows Azure environment using Windows Azure management portal.

To create service package and upload it to Windows Azure environment

1. In Visual Studio’s Solution Explorer, right-click the project name (the one that’s above Roles folder) and then click Publish… .

2. Within the Deploy Windows Azure project dialog, click Create Service Package Only, then click OK.

3. Assuming successful compilation, Visual Studio will open a folder that contains two files created as part of the publish process. The files are ServiceConfiguration.cscfg (which we discussed earlier in this topic) and <YourProjectName> .cspkg (such as WindowsAzureProject1.cspkg). The .cspkg extension is for service package files. A package file contains the service definition as well as the binaries and other items for the application being deployed. Make a note of the path to these files, as you’ll be prompted for the path when you deploy the application using the Windows Azure management portal.

4. Log in to the Windows Azure management portal to deploy the application. Log in at https://windows.azure.com.

5. Within the Windows Azure management portal, click Hosted Services, Storage Accounts & CDN.

6. Click New Hosted Service.

7. Select a subscription that will be used for this application.

8. Enter a name for your application. This name is used to distinguish your services within the Windows Azure management portal for the specified subscription.

9. Enter the URL for your application. The Windows Azure management portal ensures that the URL is unique within the Windows Azure platform (not in use by anyone else’s applications). Note: this is the URL that needs to be then updated in both ACS v2.0 management portal for that relying party’s realm and return URL and in the application’s web.config audienceUri and realm.

10. Choose a region from the list of regions.

11. Choose Deploy to stage environment.

12. Ensure that Start after successful deployment is checked.

13. Specify a name for the deployment.

14. For Package location, click the corresponding Browse Locally… button, navigate to the folder where your <YourProjectName> .cspkg file is, and select the file.

15. For Configuration file, click the corresponding Browse Locally… button, navigate to the folder where your ServiceConfiguration.cscfg is, and select the file.

16. Click on Add Certificate button to add your certificate to be deployed, but first you need to export the certificate into file. To export the certificate into file follow these steps:

    1. Open mmc console by first clicking on Windows button in task bar and typing mmc. You should see mmc.exe appears in search results. Click on it.

    2. When mmc console appears click on File option and then on Add/Remove Snap-in… option.

    3. In the Add or Remove Snap-ins dialog box choose Certificates from the available snap-ins list and click on Add> button.

    4. Choose Computer Account option and click Finish button.

    5. In the Select Computer wizard page select Local Computer (the computer this console is running on) and click Finish button. The click OK button.

    6. Expand Console Root folder.

    7. Expand Certificates(Local Computer) folder.

    8. Expand Personal folder.

    9. Click on Certificates folder to list available certificates.

    10. Locate your certificate in the list.

    11. Right click on the certificate and choose All Tasks and then Export… option.

    12. Click Next on the welcome page of the wizard.

    13. On the Export Private Key page choose Yes, export the private key option and click Next button.

    14. On the Export File Format leave the default option which is Personal Information Exchange - PKCS #12 (.PFX) and click Next button.

    15. On the Password page of the wizard specify password. You will need it when uploading the certificate to Windows Azure environment via management portal.

    16. On the File to Export page of the wizard specify destination file and click Next button. Make a note where you are saving the file. Note, since the certificate being exported has private key extra care should be taken to not exposing it to the public. It’s best if you delete the file altogether after uploading it to Windows Azure environment.

    17. Click Finish to complete the wizard. You should be presented with The export was successful message, click OK button to dismiss the message.

17. Switch back to Windows Azure management portal where you opened a dialog box to locate your certificate (.PFX) file and locate the certificate file you have just exported.

18. Specify the password for your certificate in the Certificate Password field.

19. Click OK. You will receive a warning after you click OK because there is only one instance of the web role defined for your application (this setting is contained in the ServiceConfiguration.cscfg file). For purposes of this walk-through, override the warning by clicking Yes, but realize that you likely will want more than one instance of a web role for a robust application.

    You can monitor the status of the deployment in the Windows Azure management portal by navigating to the Hosted Services section. Because this was a deployment to a staging environment, the DNS will be of the form https:// <guid> .cloudapp.net. You can see the DNS name if you click the deployment name in the Windows Azure management portal (you may need to expand the Hosted Service node to see the deployment name); the DNS name is in the right hand pane of the portal. Once your deployment has a status of Ready (as indicated by the Windows Azure management portal), you can enter the DNS name in your browser (or click it from the Windows Azure management portal) to see that your application is deployed to the cloud.

    Although this walk-through was for a deployment to the staging environment, a deployment to production follows the same steps, except you pick the production environment instead of staging. A deployment to production results in a DNS name based on the URL of your choice, instead of a GUID as used for staging.

    If this is your first exposure to the Windows Azure management portal, take some time to familiarize yourself with its functionality. For example, similar to the way you deployed your application, the portal provides functionality for stopping, starting, deleting, or upgrading a deployment.

    Important

    Assuming no issues were encountered, at this point you have deployed your Windows Azure application to the cloud. However, before proceeding, realize that a deployed application, even if it is not running, will continue to accrue billable time for your subscription. Therefore, it is extremely important that you delete unwanted deployments from your Windows Azure subscription. To delete the deployment, use the Windows Azure management portal to first stop your deployment, and then delete your deployment. These steps take place within the Hosted Services section of the Windows Azure management portal: Navigate to your deployment, select it, and then click the Stop icon. After it is stopped, delete it by clicking the Delete icon. If you do not delete the deployment, billable charges will continue to accrue for your deployment, even if it is stopped.

20. Publish to production clicking on you deployment node so that Swap VIP ribbon appears.

21. Click on Swap VIP ribbon and then OK button. The deployment to production should take couple of minutes.

In the next procedure you will update the the package and the ACSv2 to reflect on the address changes from staging environment to production.

To update the package and ACS v2.0 configuration to reflect on production environment

1. Switch back to your solution in Visual Studio.
2. Open web.config and change audienceUri and realm to reflect on the changes you made when switching from staging to production environment.
3. In the Solution Explorer right clock on the role (right above the roles folder) and click on Publish option republish the package with the changes in web.config. You cannot update just web.config, you need to create the new package.
4. Switch to Windows Azure management portal.
5. Click on the role so that you see the Upgrade ribbon appears in the tool bar, click on the ribbon and provide path to newly created package and configuration files in Package Location: and Configuration File: fields respectively.
6. Click OK button. The update should take several minutes.
7. Go to ACS v2.0 portal and update realm and return URL of the relying party to reflect the changes you made when switching from staging to production, these values should match audienceUris and realm values in the web.config.

Next procedure helps you to verify your application is functional when running in Windows Azure environment.

To verify the application is functional and running in Windows Azure environment

1. Navigate to your production URL of your application. Make sure that you use SSL (HTTPS) and use the right port you configured in the package.
2. You should be redirected to the Home Realm Discovery (HRD) page presenting you with two options – Windows Live ID and Google.
3. Choose one of them to authenticate yourself.
4. Upon successful authentication you will be redirected to your Default.aspx page.

My live demo is here https://wawithacsv2.cloudapp.net:8085/.

Related materials

• Windows Azure AppFabric Access Control Service (ACS) v2 As A Cloud Single Sing On (SSO) Service – Scenarios and Solution Approaches
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Video: What’s Windows Azure AppFabric Access Control Service (ACS) v2?
• Video: What Windows Azure AppFabric Access Control Service (ACS) v2 Can Do For Me?
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites
• Windows Azure AppFabric Access Control Service 2.0 Documentation
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul
• Windows Identity Foundation (WIF) Questions & Answers