Skip to content

Federating .Net Core App to Azure AD using Open ID connect - Lab 1 – Part 2

Overview

Many customers have identities managed in Azure AD (AAD) and many of those customers may want to deploy .NET web applications to AWS and authenticate users in Azure AD. This walkthrough will demonstrate how an OpenIDConnect federation between AWS and Azure AD can be used to create that authentication configuration.

Picture 1

Topics covered

In this walk-through, you'll build the following: - Configure a trial Azure AD account if necessary, add a test user and configure an external federated application as an Open Identity Provider (IdP) - Configure and deploy an ASP.NET Core Web App that will be authenticated using Azure AD

Pre-requisites

  • An AWS account with Administrative rights
  • Visual Studio 2017 Community Edition or better with the AWS toolkit installed
  • Admin Azure AD Organization  

Task 1 Log in to your Azure AD tenant or leverage account

Use an existing tenant

Many developers already have tenants through services or subscriptions that are tied to Azure AD tenants such as Microsoft 365 or Azure subscriptions.

Step 1: To check the tenant, sign in to the Azure portal with the account you want to use to manage your application.

Step 2: Check the upper right corner. If you have a tenant, you'll automatically be logged in and can see the tenant name directly under your account name. - Hover over your account name on the upper right-hand side of the Azure portal to see your name, email, directory / tenant ID (a GUID), and your domain. - If your account is associated with multiple tenants, you can select your account name to open a menu where you can switch between tenants. Each tenant has its own tenant ID.

Note: If you don't have an existing tenant associated with your account, you'll see a GUID under your account name and you won't be able to perform actions like registering apps until you follow the steps of the next section.

Create a new Azure AD tenant

Step 3: If you don't already have an Azure AD tenant or want to create a new one for development, follow the directory creation experience. You will have to provide the following information to create your new tenant:

  • Organization name
  • Initial domain - this will be part of *.onmicrosoft.com. You can customize the domain name later if you wish.
  • Country or region Picture 2

Task 2: Register an application

Register the sample with your Azure AD tenant

Step 4: On the top bar, select your account. Under the DIRECTORY list, choose the Active Directory tenant which you created in PREVIOUS STEP.

Note: If you have only one directory then it will be selected by default.

Picture 3

Picture 4

Step 5: In the left navigation sidebar, select Azure Active Directory. Picture 5

Step 6: From the sidebar, select App registrations Picture 6

Step 7: Select New application registration and provide a friendly name for the app, app type, and sign-on URL: - Name: OpenIDConnectApp - Application Type: Web app / API - Set Sign-on URL enter the following URL and click Create

Note: We will be re-using the ASP.NET Core web app that we created and deployed in the first lab. Re-use the elastic beanstalk hostname that you created in the first lab (you can connect to the Elastic Beanstalk dashboard in the AWS console to get this URL if necessary but don’t forget to append “signin-oidc-azure”). For example:

Picture 7

Step 8: Select Create to register the app.

Step 9: Click on Settings link Picture 8

Step 10: On the Properties blade, set the Logout URL to your elastic beanstalk hostname Example:

https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com/signout-oidc and select Save.

Picture 9

Step 11: From the Azure portal, note the following information:

Tenant domain: Copy the App ID URI base URL and paste it in a text editor. For example: JaneDemoAD.onmicrosoft.com

Application ID (Client ID): See the Properties blade. For example: ba74781c2-53c2-442a-97c2-3d60re42f403

Tenant ID: See the Endpoints blade. Record the GUID from any of the endpoint URLs. For example: da41245a5-11b3-996c-00a8-4d99re19f292

Note: The ensure that the base address in the Sign-on URL and Logout URL settings is your elastic beanstalk hostname from the previous lab – example: https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com

Task 3: Create & Assign users to the application

Create User

Step 12: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.

Step 13: Click on Users link on the left navigation Picture 13

Step 14: Click on New User button on the top navigation Picture 14

Step 15: Set the following values - Name: testuser - Username: testuser@janedemoad.onmicrosoft.com Note: add the domain URL which you created in the Task 1 - Leave other properties as default values - Copy the system generated password and save it in the editor Picture 15

Step 16: Click on create

Assign users To assign one or more users to an application directly, follow the steps below:

Step 17: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.

Step 18: Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

Step 19: Click Enterprise Applications from the Azure Active Directory left hand navigation menu. Picture 16

Step 20: Select the application OpenIDConnectApp. Picture 17

Step 21: Once the application loads, click Users and Groups from the application’s left-hand navigation menu. Picture 18

Step 22: Click the Add User button on top navigation

Step 23: Click the Users and groups selector from the Add Assignment pane.

Step 24: Click on Users section

Step 25: Select the test user created in the previous task Picture 19

Step 26: Click the Select button to add them to the list of users and groups to be assigned to the application.

Step 27: Click the Assign button to assign the application to the selected users. Picture 20

Task 4: Re-build the existing application from Lab 1

Step 28: Open Visual Studio 2017, click File >Open>Project/Solution.

Step 29: Go to the path where you have the OpenIdConnect.sln file, click Open Picture 21

Step 30: Right click on the project and build it and it should build successfully without any errors.

Step 31: In the appsettings.json file, under AzureAd provide values for: - Domain, TenantId, ClientId (Application ID) that you recorded earlier from the Azure AD

Picture 22

Step 32: In the Startup.cs comment line 38 and uncomment line 39 and save the file Picture 23

Step 33: Build the application

Task 5: Deploy the sample ASP.NET app to AWS

In this task you will deploy the sample ASP.NET app to AWS.

Step 34: Right click on the project and click on Publish to AWS Elastic Beanstalk

Step 35: Under Deployment target select re-deploy to an existing environment - Select OpenIdConnectApp Picture 24

Step 36: Click Next

Step 37: Leave the default values and click on Finish Picture 25

Step 38: Click on Deploy

Task 6: Test the application

Step 39. Now we are ready to browse to the site and test our configuration, open a private or incognito browser window (this helps to prevent any automatic sign-in behaviors and/or cookies from altering any behaviors) and browse to the URL that you created in step 10

Note: the self-signed SSL certificate that we created earlier is not trusted by your computer so we would expect to see the security warning, click on Advanced and then click on Add Exception

https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com/

Picture 26

  • Enter the test username: testuser@janedemoad.onmicrosoft.com
  • Enter the test user password: (system generated password) Picture 27
  • This will prompt for password change so enter new password and login Picture 28
  • Once logged in, you’ll see all the claims associated with the user. Picture 29
  • Click on Sign Out to sign out the user Picture 30