Federating .Net Core App to Azure AD using Open ID connect
Many customers have identities mastered in Azure AD (AAD). And many of those customers may want to deploy .NET web applications to AWS and authenticate users in Azure AD. This walkthrough will demonstrate how an OpenIDConnect federation between AWS and Azure AD can be used to create that authentication configuration.
In this walk-through, you'll build the following:
- Configure a trial Azure AD account if necessary, add a test user and configure an external federated application as an Open Identity Provider (IdP)
- Configure and deploy an ASP.NET Core Web App that will be authenticated using Azure AD
- An AWS account with Administrative rights
- Visual Studio 2017 Community Edition or better with the AWS toolkit installed
- Admin Azure AD Organization
Task 1 Log in to your Azure AD tenant or leverage account
Use an existing tenant
Many developers already have tenants through services or subscriptions that are tied to Azure AD tenants such as Microsoft 365 or Azure subscriptions.
Step 1: To check the tenant, sign in to the Azure portal with the account you want to use to manage your application.
Step 2: Check the upper right corner. If you have a tenant, you'll automatically be logged in and can see the tenant name directly under your account name. - Hover over your account name on the upper right-hand side of the Azure portal to see your name, email, directory / tenant ID (a GUID), and your domain. - If your account is associated with multiple tenants, you can select your account name to open a menu where you can switch between tenants. Each tenant has its own tenant ID.
Note: If you don't have an existing tenant associated with your account, you'll see a GUID under your account name and you won't be able to perform actions like registering apps until you follow the steps of the next section.
Create a new Azure AD tenant
Step 3: If you don't already have an Azure AD tenant or want to create a new one for development, follow the directory creation experience. You will have to provide the following information to create your new tenant:
- Organization name
- Initial domain - this will be part of *.onmicrosoft.com. You can customize the domain name later if you wish.
- Country or region
Task 2: Register an application
Register the sample with your Azure AD tenant
Step 4: On the top bar, select your account. Under the DIRECTORY list, choose the Active Directory tenant which you created in PREVIOUS STEP.
Note: If you have only one directory then it will be selected by default.
Step 5: In the left navigation sidebar, select Azure Active Directory.
Step 6: From the sidebar, select App registrations
Step 7: Select New application registration and provide a friendly name for the app, app type, and sign-on URL: - Name: OpenIDConnectApp - Application Type: Web app / API - Set Sign-on URL enter the following URL and click Create
Note: Later in the walkthrough we will deploy the test ASP.NET Core web app to AWS with Elastic Beanstalk, let's go ahead and make the assumption that in us-northeast-2 the Elastic Beanstalk generated URL from visual studio will be unique and available if I add my name after app name to the URL.
- That would make the URL:
- Replace jane with your name
- Also please make a note of this URL as we will use it throughout the rest of the walkthrough (you may want to start a notepad document as there will be several values to keep track of during the walkthrough)
Step 8: Select Create to register the app.
Step 9: Click on Settings link
Step 10: On the Properties blade, set the Logout URL to https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com/signout-oidc and select Save.
Step 11: From the Azure portal, note the following information: Tenant domain: Copy the App ID URI base URL and paste it in a text editor. For example: JaneDemoAD.onmicrosoft.com Application ID (Client ID): See the Properties blade. For example: ba74781c2-53c2-442a-97c2-3d60re42f403 Tenant ID: See the Endpoints blade. Record the GUID from any of the endpoint URLs. For example: da41245a5-11b3-996c-00a8-4d99re19f292
- To get Tenant ID, on Top nav click on DemoAD-App registrations
- Click on Endpoints link on top nav
- Copy any of the URLs
- Record the GUID part of it
Note: The base address in the Sign-on URL and Logout URL settings is https://openidconnectapp-jane-prod.ap-northeast-2.elasticbeanstalk.com.
Task 3: Create & Assign users to the application
Step 12: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.
Step 13: Click on Users link on the left nav
Step 14: Click on New User button on the top nav
Step 14: Set the following values - Name: testuser - Username: firstname.lastname@example.org
Note: add the domain url which you created in the Task 1 - Leave other properties as default values - Copy the system generated password and save it in the editor
Step 15: Click on create
To assign one or more users to an application directly, follow the steps below:
Step 16: Open the Azure Active Directory by clicking All services at the top of the main left hand navigation menu.
Step 17: Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.
Step 18: Click Enterprise Applications from the Azure Active Directory left hand navigation menu.
Step 19: Select the application OpenIDConnectApp.
Step 20: Once the application loads, click Users and Groups from the application’s left hand navigation menu.
Step 21: Click the Add User button on top nav
Step 22: Click the Users and groups selector from the Add Assignment pane.
Step 23: Click on Users section
Step 24: Select the testuser created in the previous task
Step 25: Click the Select button to add them to the list of users and groups to be assigned to the application.
Step 26: Click the Assign button to assign the application to the selected users.
Task 4: Create .NET Core Application
In this task you’ll be creating an ASP.NET Core Web App project that will run on Elastic Beanstalk. This is a sample project to demonstrate the seamless integration of Amazon Cognito.
If you have followed the first walkthrough and created the .NET app already then skip to step 25.
- Visual Studio 2017
- Please follow this guide to install Visual Studio community edition
- AWS Toolkit for Visual Studio
Step 20: Download the project from S3 bucket - In the address bar of the internet explorer, enter: https://bit.ly/2PGtUfs
- When the Internet Explorer dialog box appears, click Save.
Info: This bucket contains the .NET Core App OpenIDConnect solution. This is a simple web application to demonstrate Amazon Cognito integration with ASP.NET Core App using OpenIdConnect.
This sample shows how to use the OpenID Connect ASP.NET Core middleware to sign-in users from a Amazon Cognito User Pool. The middleware is initialized in the Startup.cs file by passing it the Client ID of the app and the URL of the Amazon Cognito IDP where app is registered, which is read from the appsettings.json file.
The middleware takes care of: - Downloading the Amazon Cognito metadata, finding the signing keys, and finding the issuer name for the tenant. - Processing OpenID Connect sign-in responses by validating the signature and issuer in an incoming JWT, extracting the user's claims, and putting the claims in ClaimsPrincipal.Current. - Integrating with the session cookie ASP.NET Core middleware to establish a session for the user. You can trigger the middleware to send an OpenID Connect sign-in request by decorating a class or method with the [Authorize] attribute or by issuing a challenge (see the AccountController.cs file):
Step 21: Unzip the file in the instance which has Visual Studio 2017 installed.
Step 22: Open Visual Studio 2017, click File >Open>Project/Solution.
Step 23: Go to the path where you have the OpenIdConnect.sln file, click Open
Step 24: Right click on the project and build it and it should build successfully without any errors.
Step 25: In the appsettings.json file, under AzureAd provide values for: - Domain, TenantId, ClientId (Application ID) that you recorded earlier from the Azure AD
Step 26: In the Startup.cs comment line 38 and uncomment line 39 and save the file
Step 27: Build the application
Task 5: Deploy the sample ASP.NET app to AWS
In this task you will deploy the sample ASP.NET app to AWS.
If you have followed first walkthrough and deployed the application on to AWS Elastic Beanstalk then skip to Step 48.
Step 28: From the Build menu select Rebuild Solution and then right-click the project and select Publish to AWS Elastic Beanstalk
Step 29: Select the correct Region and leave the "Create a new application environment" and click Next
Step 30: Select openidconnectapp-prod from the Environment dropdown, Make sure to use the URL you created for you app in step 10, check availability for the URL and then click Next
Note: It may appear that the URL we are launching with Elastic Beanstalk does not include the us-east-1 portion (of https://openidconnectapp-jane-prod.us-east-1.elasticbeanstalk.com) however Beanstalk will add that portion of the URL during deployment so make sure you enter
the following in the URL textbox: openidconnectapp-jane-prod
Step 31: Keep the default value in container type, select m4.large as instance and in the Key pair dropdown select the SeoulKeyPair which was created in Task 2.
Step 32: Leave the default Role Settings and then click Next
Step 33: Leave the default Build and Deployment Setting, click Next and then click Deploy on the final screen
Step 34: Once the Beanstalk publishing process is complete navigate to the AWS console, open the AWS Elastic Beanstalk UI
Note: we'll need to wait a few minutes for Beanstalk to finish provisioning the environment, occasionally refresh the page and once the tile is green you can click on it to view the details of the environment
Step 35: Once the Beanstalk environment is green let's navigate to the EC2 Dashboard, we need to modify the security group to allow incoming traffic on port 443 - For the Instance that Beanstalk deployed on our behalf let's add the 443 and 3389 port rules
Step 36: Update the Security Group for this server to allow traffic on port 3389 and 443, Click on the first security group next to Security groups to modify it.
Step 37: Go to Inbound tab and click on Edit
Step 38: Add RDP and HTTPS rules, make sure the IP address is set to 0.0.0.0/0, ::/0
- Click on Save
Step 39: Go back to the Ec2 instance and copy the Public IP address, the Windows Password and then RDP into the server. - To grab the password, you’ll have to provide the keypair which was created in Task 2. - Browse the keppair and click on Decrypt - Copy the password onto a text editor
Step 40: RDP into the server using public IP address and password that you copied in the previous step.
Step 41: Once on the server, open a Powershell prompt (as an administrator) and execute the following command to generate a self-signed SSL certificate, make sure to use the URL that you created for your app in step 11
New-SelfSignedCertificate -DnsName "openidconnect-jane-prod.us-northeast-2.elasticbeanstalk.com" -CertStoreLocation "cert:\LocalMachine\My"
Step 42: From the server click on the windows icon, then expand the Windows Administrative Tools folder and click on Internet Information Services (IIS Manager)
Step 43. Expand the server name on the top left and expand the Sites folder, single-click the Default Web Site and then click Bindings...
Step 44: Click Add to add a new binding, in the Add Site Binding dialog make sure https is selected, All Unassigned for the IP address, select the self-signed SSL Certificate we created in step from the SSL certificate dropdown, click OK and then close the Site Bindings dialog
Step 45: Sign out of the server
Step 46: Right click on the project and click on Publish to AWS Elastic Beanstalk
Step 47: Under Deployment target select Redeploy to an existing environment - Select OpenIdConnectApp
Step 48: Click Next
Step 49: Leave the default values as is and click on Finish
Step 50: Click on Deploy
Task 6: Test the application
Step 49. Now we are ready to browse to the site and test our configuration, open a private or incognito browser window (this helps to prevent any automatic sign-in behaviors and/or cookies from altering any behaviors) and browse to the URL that you created in step 10
Note: the self-signed SSL certificate that we created earlier is not trusted by your computer so we would expect to see the security warning, click on Advanced and then Click on Add Exception
- Enter the test username: email@example.com
- Enter the test user password: Bufo1588 (system generated password)
- This will prompt for password change so enter new password and login
- Once logged in, you’ll see all the claims associated with the user.
- Click on Sign Out to sign out the user