Skip to content

Federating .Net Core App to Azure AD using Open ID connect

Overview

Many customers have identities mastered in Azure AD (AAD). And many of those customers may want to deploy .NET web applications to AWS and authenticate users in Azure AD. This walkthrough will demonstrate how an OpenIDConnect federation between AWS and Azure AD can be used to create that authentication configuration.

Picture 1

Topics covered

In this walk-through, you'll build the following:

  • Configure a trial Azure AD account if necessary, add a test user and configure an external federated application as an Open Identity Provider (IdP)
  • Configure and deploy an ASP.NET Core Web App that will be authenticated using Azure AD

Pre-requisites

  • An AWS account with Administrative rights
  • Visual Studio 2017 Community Edition or better with the AWS toolkit installed
  • Admin Azure AD Organization

Task 1 Log in to your Azure AD tenant or leverage account

Use an existing tenant

Many developers already have tenants through services or subscriptions that are tied to Azure AD tenants such as Microsoft 365 or Azure subscriptions.

Step 1: To check the tenant, sign in to the Azure portal with the account you want to use to manage your application.

Step 2: Check the upper right corner. If you have a tenant, you'll automatically be logged in and can see the tenant name directly under your account name. - Hover over your account name on the upper right-hand side of the Azure portal to see your name, email, directory / tenant ID (a GUID), and your domain. - If your account is associated with multiple tenants, you can select your account name to open a menu where you can switch between tenants. Each tenant has its own tenant ID.

Note: If you don't have an existing tenant associated with your account, you'll see a GUID under your account name and you won't be able to perform actions like registering apps until you follow the steps of the next section.

Create a new Azure AD tenant

Step 3: If you don't already have an Azure AD tenant or want to create a new one for development, follow the directory creation experience. You will have to provide the following information to create your new tenant:

  • Organization name
  • Initial domain - this will be part of *.onmicrosoft.com. You can customize the domain name later if you wish.
  • Country or region

Picture 2

Task 2: Register an application

Register the sample with your Azure AD tenant

Step 4: On the top bar, select your account. Under the DIRECTORY list, choose the Active Directory tenant which you created in PREVIOUS STEP.

Note: If you have only one directory then it will be selected by default.

Picture 3

Picture 4

Step 5: In the left navigation sidebar, select Azure Active Directory. Picture 5

Step 6: From the sidebar, select App registrations Picture 6

Step 7: Select New application registration and provide a friendly name for the app, app type, and sign-on URL: - Name: OpenIDConnectApp - Application Type: Web app / API - Set Sign-on URL enter the following URL and click Create

Note: Later in the walkthrough we will deploy the test ASP.NET Core web app to AWS with Elastic Beanstalk, let's go ahead and make the assumption that in us-northeast-2 the Elastic Beanstalk generated URL from visual studio will be unique and available if I add my name after app name to the URL.

Picture 7

Step 8: Select Create to register the app.

Step 9: Click on Settings link Picture 8

Step 10: On the Properties blade, set the Logout URL to https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com/signout-oidc and select Save. Picture 9

Step 11: From the Azure portal, note the following information: Tenant domain: Copy the App ID URI base URL and paste it in a text editor. For example: JaneDemoAD.onmicrosoft.com Application ID (Client ID): See the Properties blade. For example: ba74781c2-53c2-442a-97c2-3d60re42f403 Tenant ID: See the Endpoints blade. Record the GUID from any of the endpoint URLs. For example: da41245a5-11b3-996c-00a8-4d99re19f292

Note: The base address in the Sign-on URL and Logout URL settings is https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com.

Task 3: Create & Assign users to the application

Create User

Step 12: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.

Step 13: Click on Users link on the left nav Picture 13

Step 14: Click on New User button on the top nav Picture 14

Step 14: Set the following values - Name: testuser - Username: testuser@janedemoad.onmicrosoft.com

Note: add the domain url which you created in the Task 1 - Leave other properties as default values - Copy the system generated password and save it in the editor

Picture 15

Step 15: Click on create

Assign users

To assign one or more users to an application directly, follow the steps below:

Step 16: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.

Step 17: Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

Step 18: Click Enterprise Applications from the Azure Active Directory left hand navigation menu. Picture 16

Step 19: Select the application OpenIDConnectApp. Picture 17

Step 20: Once the application loads, click Users and Groups from the application’s left hand navigation menu. Picture 18

Step 21: Click the Add User button on top nav

Step 22: Click the Users and groups selector from the Add Assignment pane.

Step 23: Click on Users section

Step 24: Select the testuser created in the previous task Picture 19

Step 25: Click the Select button to add them to the list of users and groups to be assigned to the application.

Step 26: Click the Assign button to assign the application to the selected users. Picture 20

Task 4: Create .NET Core Application

In this task you’ll be creating an ASP.NET Core Web App project that will run on Elastic Beanstalk. This is a sample project to demonstrate the seamless integration of Amazon Cognito.

If you have followed the first walkthrough and created the .NET app already then skip to step 25.

Prerequisites

Step 20: Download the project from S3 bucket - In the address bar of the internet explorer, enter: https://bit.ly/2PGtUfs

  • When the Internet Explorer dialog box appears, click Save.

Info: This bucket contains the .NET Core App OpenIDConnect solution. This is a simple web application to demonstrate Amazon Cognito integration with ASP.NET Core App using OpenIdConnect.

This sample shows how to use the OpenID Connect ASP.NET Core middleware to sign-in users from a Amazon Cognito User Pool. The middleware is initialized in the Startup.cs file by passing it the Client ID of the app and the URL of the Amazon Cognito IDP where app is registered, which is read from the appsettings.json file.

The middleware takes care of: - Downloading the Amazon Cognito metadata, finding the signing keys, and finding the issuer name for the tenant. - Processing OpenID Connect sign-in responses by validating the signature and issuer in an incoming JWT, extracting the user's claims, and putting the claims in ClaimsPrincipal.Current. - Integrating with the session cookie ASP.NET Core middleware to establish a session for the user. You can trigger the middleware to send an OpenID Connect sign-in request by decorating a class or method with the [Authorize] attribute or by issuing a challenge (see the AccountController.cs file):

Step 21: Unzip the file in the instance which has Visual Studio 2017 installed.

Step 22: Open Visual Studio 2017, click File >Open>Project/Solution.

Step 23: Go to the path where you have the OpenIdConnect.sln file, click Open Picture 21

Step 24: Right click on the project and build it and it should build successfully without any errors.

Step 25: In the appsettings.json file, under AzureAd provide values for: - Domain, TenantId, ClientId (Application ID) that you recorded earlier from the Azure AD

Picture 22

Step 26: In the Startup.cs comment line 38 and uncomment line 39 and save the file Picture 23

Step 27: Build the application

Task 5: Deploy the sample ASP.NET app to AWS

In this task you will deploy the sample ASP.NET app to AWS.

If you have followed first walkthrough and deployed the application on to AWS Elastic Beanstalk then skip to Step 48.

Step 28: From the Build menu select Rebuild Solution and then right-click the project and select Publish to AWS Elastic Beanstalk Picture 24

Step 29: Select the correct Region and leave the "Create a new application environment" and click Next Picture 25

Step 30: Select openidconnectapp-prod from the Environment dropdown, Make sure to use the URL you created for you app in step 10, check availability for the URL and then click Next

Note: It may appear that the URL we are launching with Elastic Beanstalk does not include the us-east-1 portion (of https://openidconnectapp-jane-prod.us-east-1.elasticbeanstalk.com) however Beanstalk will add that portion of the URL during deployment so make sure you enter

the following in the URL textbox: openidconnectapp-jane-prod

Picture 26

Step 31: Keep the default value in container type, select m4.large as instance and in the Key pair dropdown select the SeoulKeyPair which was created in Task 2. Picture 27

Step 32: Leave the default Role Settings and then click Next Picture 28

Step 33: Leave the default Build and Deployment Setting, click Next and then click Deploy on the final screen Picture 29

Step 34: Once the Beanstalk publishing process is complete navigate to the AWS console, open the AWS Elastic Beanstalk UI

Note: we'll need to wait a few minutes for Beanstalk to finish provisioning the environment, occasionally refresh the page and once the tile is green you can click on it to view the details of the environment

Picture 30

Step 35: Once the Beanstalk environment is green let's navigate to the EC2 Dashboard, we need to modify the security group to allow incoming traffic on port 443 - For the Instance that Beanstalk deployed on our behalf let's add the 443 and 3389 port rules

Step 36: Update the Security Group for this server to allow traffic on port 3389 and 443, Click on the first security group next to Security groups to modify it. Picture 31

Step 37: Go to Inbound tab and click on Edit

Step 38: Add RDP and HTTPS rules, make sure the IP address is set to 0.0.0.0/0, ::/0 Picture 32

  • Click on Save

Step 39: Go back to the Ec2 instance and copy the Public IP address, the Windows Password and then RDP into the server. - To grab the password, you’ll have to provide the keypair which was created in Task 2. Picture 33 - Browse the keppair and click on Decrypt Picture 34 - Copy the password onto a text editor

Step 40: RDP into the server using public IP address and password that you copied in the previous step.

Step 41: Once on the server, open a Powershell prompt (as an administrator) and execute the following command to generate a self-signed SSL certificate, make sure to use the URL that you created for your app in step 11

New-SelfSignedCertificate -DnsName "openidconnect-jane-prod.us-northeast-2.elasticbeanstalk.com" -CertStoreLocation "cert:\LocalMachine\My"

Picture 35

Step 42: From the server click on the windows icon, then expand the Windows Administrative Tools folder and click on Internet Information Services (IIS Manager) Picture 36

Step 43. Expand the server name on the top left and expand the Sites folder, single-click the Default Web Site and then click Bindings... Picture 37

Step 44: Click Add to add a new binding, in the Add Site Binding dialog make sure https is selected, All Unassigned for the IP address, select the self-signed SSL Certificate we created in step from the SSL certificate dropdown, click OK and then close the Site Bindings dialog Picture 38

Step 45: Sign out of the server Picture 39

Step 46: Right click on the project and click on Publish to AWS Elastic Beanstalk

Step 47: Under Deployment target select Redeploy to an existing environment - Select OpenIdConnectApp

Picture 40

Step 48: Click Next

Step 49: Leave the default values as is and click on Finish Picture 41

Step 50: Click on Deploy

Task 6: Test the application

Step 49. Now we are ready to browse to the site and test our configuration, open a private or incognito browser window (this helps to prevent any automatic sign-in behaviors and/or cookies from altering any behaviors) and browse to the URL that you created in step 10

Note: the self-signed SSL certificate that we created earlier is not trusted by your computer so we would expect to see the security warning, click on Advanced and then Click on Add Exception

https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com/

Picture 42

  • Enter the test username: testuser@janedemoad.onmicrosoft.com
  • Enter the test user password: Bufo1588 (system generated password) Picture 43
  • This will prompt for password change so enter new password and login Picture 44
  • Once logged in, you’ll see all the claims associated with the user. Picture 45
  • Click on Sign Out to sign out the user Picture 46