Federating .Net Core App to Azure AD using Open ID connect - Lab 1 – Part 2
Many customers have identities managed in Azure AD (AAD) and many of those customers may want to deploy .NET web applications to AWS and authenticate users in Azure AD. This walkthrough will demonstrate how an OpenIDConnect federation between AWS and Azure AD can be used to create that authentication configuration.
In this walk-through, you'll build the following: - Configure a trial Azure AD account if necessary, add a test user and configure an external federated application as an Open Identity Provider (IdP) - Configure and deploy an ASP.NET Core Web App that will be authenticated using Azure AD
- An AWS account with Administrative rights
- Visual Studio 2017 Community Edition or better with the AWS toolkit installed
- Admin Azure AD Organization
Task 1 Log in to your Azure AD tenant or leverage account
Use an existing tenant
Many developers already have tenants through services or subscriptions that are tied to Azure AD tenants such as Microsoft 365 or Azure subscriptions.
Step 1: To check the tenant, sign in to the Azure portal with the account you want to use to manage your application.
Step 2: Check the upper right corner. If you have a tenant, you'll automatically be logged in and can see the tenant name directly under your account name. - Hover over your account name on the upper right-hand side of the Azure portal to see your name, email, directory / tenant ID (a GUID), and your domain. - If your account is associated with multiple tenants, you can select your account name to open a menu where you can switch between tenants. Each tenant has its own tenant ID.
Note: If you don't have an existing tenant associated with your account, you'll see a GUID under your account name and you won't be able to perform actions like registering apps until you follow the steps of the next section.
Create a new Azure AD tenant
Step 3: If you don't already have an Azure AD tenant or want to create a new one for development, follow the directory creation experience. You will have to provide the following information to create your new tenant:
- Organization name
- Initial domain - this will be part of *.onmicrosoft.com. You can customize the domain name later if you wish.
- Country or region
Task 2: Register an application
Register the sample with your Azure AD tenant
Step 4: On the top bar, select your account. Under the DIRECTORY list, choose the Active Directory tenant which you created in PREVIOUS STEP.
Note: If you have only one directory then it will be selected by default.
Step 5: In the left navigation sidebar, select Azure Active Directory.
Step 6: From the sidebar, select App registrations
Step 7: Select New application registration and provide a friendly name for the app, app type, and sign-on URL: - Name: OpenIDConnectApp - Application Type: Web app / API - Set Sign-on URL enter the following URL and click Create
Note: We will be re-using the ASP.NET Core web app that we created and deployed in the first lab. Re-use the elastic beanstalk hostname that you created in the first lab (you can connect to the Elastic Beanstalk dashboard in the AWS console to get this URL if necessary but don’t forget to append “signin-oidc-azure”). For example:
- Also please make a note of this URL as we will use it throughout the rest of the walkthrough (you may want to start a notepad document as there will be several values to keep track of during the walkthrough)
Step 8: Select Create to register the app.
Step 9: Click on Settings link
Step 10: On the Properties blade, set the Logout URL to your elastic beanstalk hostname Example:
Step 11: From the Azure portal, note the following information:
Tenant domain: Copy the App ID URI base URL and paste it in a text editor. For example: JaneDemoAD.onmicrosoft.com
Application ID (Client ID): See the Properties blade. For example: ba74781c2-53c2-442a-97c2-3d60re42f403
Tenant ID: See the Endpoints blade. Record the GUID from any of the endpoint URLs. For example: da41245a5-11b3-996c-00a8-4d99re19f292
- To get Tenant ID, on Top navigation and click on App registrations
- Click on Endpoints link on the top navigation
- Copy any of the URLs
- Record the GUID part of it
Note: The ensure that the base address in the Sign-on URL and Logout URL settings is your elastic beanstalk hostname from the previous lab – example: https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com
Task 3: Create & Assign users to the application
Step 12: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.
Step 13: Click on Users link on the left navigation
Step 14: Click on New User button on the top navigation
Step 15: Set the following values - Name: testuser - Username: firstname.lastname@example.org Note: add the domain URL which you created in the Task 1 - Leave other properties as default values - Copy the system generated password and save it in the editor
Step 16: Click on create
Assign users To assign one or more users to an application directly, follow the steps below:
Step 17: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.
Step 18: Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.
Step 19: Click Enterprise Applications from the Azure Active Directory left hand navigation menu.
Step 20: Select the application OpenIDConnectApp.
Step 21: Once the application loads, click Users and Groups from the application’s left-hand navigation menu.
Step 22: Click the Add User button on top navigation
Step 23: Click the Users and groups selector from the Add Assignment pane.
Step 24: Click on Users section
Step 25: Select the test user created in the previous task
Step 26: Click the Select button to add them to the list of users and groups to be assigned to the application.
Step 27: Click the Assign button to assign the application to the selected users.
Task 4: Re-build the existing application from Lab 1
Step 28: Open Visual Studio 2017, click File >Open>Project/Solution.
Step 29: Go to the path where you have the OpenIdConnect.sln file, click Open
Step 30: Right click on the project and build it and it should build successfully without any errors.
Step 31: In the appsettings.json file, under AzureAd provide values for: - Domain, TenantId, ClientId (Application ID) that you recorded earlier from the Azure AD
Step 32: In the Startup.cs comment line 38 and uncomment line 39 and save the file
Step 33: Build the application
Task 5: Deploy the sample ASP.NET app to AWS
In this task you will deploy the sample ASP.NET app to AWS.
Step 34: Right click on the project and click on Publish to AWS Elastic Beanstalk
Step 35: Under Deployment target select re-deploy to an existing environment - Select OpenIdConnectApp
Step 36: Click Next
Step 37: Leave the default values and click on Finish
Step 38: Click on Deploy
Task 6: Test the application
Step 39. Now we are ready to browse to the site and test our configuration, open a private or incognito browser window (this helps to prevent any automatic sign-in behaviors and/or cookies from altering any behaviors) and browse to the URL that you created in step 10
Note: the self-signed SSL certificate that we created earlier is not trusted by your computer so we would expect to see the security warning, click on Advanced and then click on Add Exception
- Enter the test username: email@example.com
- Enter the test user password: (system generated password)
- This will prompt for password change so enter new password and login
- Once logged in, you’ll see all the claims associated with the user.
- Click on Sign Out to sign out the user