Cloud Tip #8-Using ACS without SSL

  • Article

Today I showed a work around for when you are showing ACS on a site that is running without setting up the SSL piece.

<system.web>
<!--Hack to get past request token on non-SSL site—>
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" controlRenderingCompatibilityVersion="4.0"
clientIDMode="AutoID"></pages>

...

imageNote that shutting off validation of requests is not recommended, as it opens exploits against your site. For a better way of approaching this, Sandrino Di Mattia does a great job of explaining the right way of how to deploy and use the access control service in an Azure deployed solution.

https://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service

Make sure you add a reference to Microsoft.IdentityModel v3.5.0.0 and then set the properties of the assembly to copy local with the deploy.

On another track we looked at how to explore the claims that are included as part of the returned identity. In the Azure event I also showed a page that shows the contents of the user identity and display information about the claims contained in the token returned from ACS. I created a page in a secure location, then added a simple data grid to the page (called GridView1 and then in the page load I pull the identity information from the authenticated user data. The code for the PageLoad is below:

  

        protected void Page_Load(object sender, EventArgs e)
{

try
            {
// Cast the Thread.CurrentPrincipal
IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;

// Access IClaimsIdentity which contains claims
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;

// icp.Identity.Name;
// txtAuthName.Text = claimsIdentity.Name;
                
txtAuthType.Text = claimsIdentity.AuthenticationType;
txtIsAuthenticated.Text = claimsIdentity.IsAuthenticated.ToString();

var myClaims = from c in claimsIdentity.Claims
select new { c.ClaimType, c.Value };

GridView1.DataSource = myClaims;
GridView1.DataBind();

// Enable secret content for administrators
if (Thread.CurrentPrincipal.IsInRole("Administrator"))
{
this.secretContent.Visible = true;
}
}
catch (Exception ex)
{
txtAuthType.Text = ex.Message;
}
}

Enjoy!

Digg This