Steve Spencer's Blog

Blogging on Azure Stuff

Creating your own identity provider for Windows Azure AppFabric Access Control

Whilst doing an access control service demo I was asked whether you could wire in your own existing authentication mechanisms as customers did not want to have to redo their authentication/registration mechanisms to use Live ID, Google, Yahoo! etc. The answer to this was yes but I had never done it so this was a good time to investigate how.

I started off with the Windows Azure Platform Training Kit(VS2010) and worked through the “Introduction to the AppFabric Access Control Service V2” lab to setup a web site that allows login via Live ID, Google and Yahoo!. Once this was running I needed to create my own provider and wire it into the lab solution that I just created. There is an additional lab ""Federated Authentication in a Windows Azure Web Role Application" which gives the basics of creating your own identity provider. Unfortunately this does not link to ACS so I needed to work out how to wire the provider in. The following instructions are how I created the site and wired it in:

Taking the ACS lab solution as the basis, create an ASP.Net website that will carry out the login process. For this I added a “ASP.NET Security Token Service Web Site”. Right click on your solution and select new website. Make sure that the URL you enter for the site includes https at the start. (e.g. https://localhost/MyIDProvider).

When the project is created, you need to change some of the code in the template as it does not handle the return address correctly when redirecting from your identity provider after logging in.

The template for an STS web site needs the following code changing in App_Code\CustomSecurityTokenService.cs

Go to GetScope and change the line

scope.ReplyToAddress = scope.AppliesToAddress;


scope.ReplyToAddress = String.IsNullOrEmpty(request.ReplyTo) ? scope.AppliesToAddress : request.ReplyTo; 

This takes the replyto address from the query string and uses this to redirect back to ACS once the login process has been completed. There are 2 other changes required to the basic STS template in order for it to work correctly.

Open web.config and search for IssuerName in the application settings section and change it to be the url of your STS website (e.g. https://localhost/MyIDProvider)

Also change the SigningCertificateName to point to a certificate that exists in your local machine certificate store. This website will now provide a simple mechanism for logging in. Without any changes you can enter any username and it will authenticate. At this point you will need to wire in your own authentication mechanism, but for testing purposes the default site will allow you to set it up correctly and test it out.

We now need to wire this into ACS. I am using the labs version of the access control service at

Navigate to your Access Control Service at appfabriclabs.

Click “Identity Providers”, “Add Identity Provider” and add a new “Microsoft Active Directory Federation Service 2.0” provider. The two bits that are important are “WS-Federation metatdata” and the relying party application. Browse to the FederationMetadata.xml file of your STS project you have just created. (e.g. C:\inetpub\wwwroot\MyIDProvider\FederationMetadata\2007-06\FederationMetadata.xml). Also ensure that the ACS website created as part of the labs is checked and press Save.

The final piece of configuration that is required is to add in the rules for your provider. still in the Access Control Service portal, click “Rule Groups”, select the rule group that you setup for your ACS lab and select “Generate Rules”. Ensure that your new identity provider is in the list and that it has been checked and press the “Generate” button. Two new rules should have been added for your provider (Pass through for name and role). You are now ready to test this.

To make it easier to see what is happening I added the following to the Default.aspx of my ACS lab

In default.aspx add the following:

    <asp:LoginView ID="LoginView1" runat="server">
            <asp:Panel Visible="true" CssClass="secretContent" runat="server" ID="unauthorisedContent">
            You are unauthorised to view this page
                You are logged in
            <asp:RoleGroup Roles="Administrator">
                    <asp:Panel ID="SecretContent" runat="server" CssClass="secretContent" 
                        Secret Content (Only administrators can access this section)

This will display the login status so you can see whether the login works or not.

Also add the following style to the site.css file in the ACS lab site:

  border-style: solid; 
  background-color: Red; 
  padding: 5px;
  color: White;

Run the ACS lab application and check to see if your provider appears in the list of providers and also that when you click on the button it redirects to you page. Login and you should be redirected to the Default.aspx page of the ACS lab site with the text “you are logged in”.

You may want to change the claims that are allowed for specific users. This is done in App_Data\CustomSecurityTokenService.cs in your identity provider web site.

Modify GetOutputClaimsIdentity to change depending upon who is logged in.

Change the code that adds a Manager Role to the following code to allow a user called Steve to be an administrator and everyone else as a user.

if (principal.Identity.Name.Equals("Steve") == true)
    outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Administrator"));
    outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "User"));

Run your ACS website again and login with “Steve” and you should now see the secret content that only administrator should see. Login as anyone else and you will not see the secret content.

All that you need to do now is to wire in your own authentication mechanism and deal with the claims for each user.

“SetConfigurationSettingPublisher needs to be called before FromConfigurationSetting can be used” Error on Azure SDK 1.3

Last week I was trying to demonstrate accessing Azure Table Storage after I upgraded to the Azure SDK 1.3. During the demo I kept getting the exception “SetConfigurationSettingPublisher needs to be called before FromConfigurationSetting can be used” even though I had written this code and my demos all worked fine previously. After some digging and some help from a delegate who had seen this problem before I removed the sites configuration from my ServiceDefinition.csdef file.

   <Site name="Web">
       <Binding name="HttpIn" endpointName="HttpIn" />

My demo’s suddenly started working. The sites configuration is part of a feature to allow you to host multiple websites within a single web role. (This also explained why all my projects wanted to be upgraded when they were opened). Steve Marx has written a blog post which details the fixes and reasons why this issue arises. I have now moved my code for SetConfigurationSettingPublisher from my web role OnStart to my Global.asax.cs Application_Start. My demo’s now work correctly :)

Azure Jumpstart and Accelerator links

Thanks for attending the Azure Jumpstart and Accelerator events in Dublin and Belfast (also the Galway Live Meeting).

Here are the list of links from my presentations:

Azure HOL (August labs = VS2008, November Labs = VS2010) (Update: 7 Jan 2011 : Looks like this link does not give the 2008 option any more)

Also include the December update for Azure SDK 1.3 for VS2010 (

Shared Access signatures

CNAME mappings to CDN URLs

Adaptive Streaming can be made to work with the CDN too

Ticket Direct Case study

MSDN offers

Patterns Azure Guidance

Windows Azure AppFabric Labs (to see the latest changes to App Fabric)

PDC Review

Having just returned from PDC in LA, here are my highlights from the week.

Windows Azure - this is the OS for the cloud. Microsoft have learnt from their experiences and created a secure, scalable platform for developing and deploying your web applications.

.Net Services - Are a set of services hosted in the cloud to help you to develop cloud based or cloud aware applications. .Net services consists of 3 main components: Access Control, Service Bus and Workflow. Access control uses standards based identity systems including LiveId to help to secure your cloud applications. Whether the service is hosted behind your fire wall or in the cloud, the service bus allows you to connect your applications and services together across the internet. Workflow services is a cloud based host for your WF workflows and includes a set of management tools and api

OSLO - A platform for model driven development and consists of a modelling language called M; A tool for interacting with models called Quadrant; and a Repository which is a SQL server based database for storing and sharing models. M is used to define the domain specific data model, create a grammar for entering data and create a way of visualising the data.

Dublin - this is the codename for Microsoft's Application server. Dublin is a robust and scalable host for WF and WCF applications and will be used to support the OSLO modelling technologies.

Visual Studio 10 - There are some nice cool features in VS10 including impact analysis, historical debugging and better test management. Impact analysis looks at the code that has been changed and identifies the unit tests that are affected by the changes , allowing them to be run easily. Historical debugging allows debugging to be carried out after a fault has occurred and rewind backwards and see the state of the system rather than stepping forward through the system. Some issues are difficult to reproduce or step through without affecting the system. Having the ability to replay the sequence after the fault has occurred and interrogate the data will help the developers to fix problems more efficiently. Historical debugging can be tied into better test management by allowing the testers to run through their test scenarios and when a fault occurs, mark the test as a failure and then send the whole test information including a video (if selected) and the historical debug information through to the developer to fix. This will also help to eliminate the faults that can not be reproduced in the development environment.

Windows 7 - Another version of the windows operating system that should use less memory and be faster than Vista. In addition there will be multi desktop support in Remote desktop and on the fly virtual hard drive support which can then become bootable if required and better home networking.

BlackMarble SOA/BizTalk Event

Thanks to everyone who sat and listened to my presentations on BizTalk RFID, ESB and ISB. I hope that you found them useful.

As promised here are the links:

Biztalk RFID :

Blue C Sushi :

ESB Guidance :

Robert's Blog on installing ESB: ESB Guidance Setup Walk through (DRAFT)

Biztalk Services/ISB:

Oslo in a nutshell

What is Oslo all about? According to Microsoft's Burley Kawasaki at Architect Insight, Oslo is a new way to build connected applications where services are extended from client to cloud and models become the mainstream part of development. Oslo is not a product but a way of working.

Other things of interest from Architect Insight include the ConfigWeb sample (from Stock Trader) for configuring enterprise web applications ( The Internet Service bus and biztalk services (

Scrum Overview

Scrum is a process to help with the day to day running of projects. From my experience of running projects using scrum I have written an overview document. This is probably not pure scrum but it works and has practical advise. The overview is written from the team leaders perspective and may be useful to new team leaders or existing team leaders who are new to scrum.

overview - Scrum overview (pdf).

When is Complete Complete?

Developing software is complex but breaking the problem down into smaller tasks makes the job easier. It is OK if you are the person who defines the work, splits it down and then completes it yourself as you fully understand what the problem is and when the problem is solved. This is not normally the way it works in the real world. Here the problem is defined by the customer; there is generally someone or a layer or people defining what needs to be done to solve the problem and then a group of developers who are actually implementing the solution. Once the problem and its solution are split between different people the concept of complete starts to become an issue. There are three points of view of completed:  Developers’ perspective, Team Leaders’ perspective, Customers’ perspective.

The customers perspective of completed is when the customer gets what they want. This is not necessarily what is in the requirements. One of the biggest problems with requirements is that the person or people who normally write them understand what they want and often assume that something will be like what they want without actually specifying what it is they actually want. These are hidden or implicit requirements.

The team leaders’ perspective of completeness is when the developers have told the team leader that the task is completed and the software has been built, deployed and is in a fit state to test or demonstrate.

The developers’ perspective dictates that something is complete when the item of work given to the developer is completed as close to the specified design as possible. If you are lucky the developer has let the team leader know which parts of the design have not been implemented for whatever reason.

These three perspectives often are not compatible with each other which lead to disappointment with the customer as things do not appear to be going to plan even though the developers and team leaders think things are going well. If you are not careful this could lead to a de-motivated workforce and an even more disappointed customer.

One of the secrets of a successful development is to align the three perspectives of completion. This generally lies with the team leaders or project managers. This layer of the development process, interfaces with both the customers and the developers and it is their actions that ultimately determine how successful the project is. For simplicity we shall assume that the team leader is handling this issue. It could easily be anyone of the senior members of the development team: the consultant, designer, project manager, team leader etc. It is the team leaders’ responsibility to fully understand what is actually expected to be delivered to the customer. If the team leader does not fully understand what is required then how can anyone expect to get what they want? The team leader must rely on fact and not hearsay or rumours. The team leader must understand the requirements and try to work out what the implicit requirements are and handle the delivery expectations of the customer. If there are features that the customer seems to be talking about that are not explicitly specified in the requirements then the team leader needs to get to grips with what the customer is expecting to be delivered. This will often contradict with what the development team has been contracted to do. This may require that the project manager needs to ensure that the scope of the project is managed and that additional work is charged accordingly (assuming that the customer and developers work for different organisations). It is the team leaders’ responsibility to make sure that the customer is aware of what is being delivered at each stage.

Once the team leader has aligned the customers’ expectations with the requirements the development team can now work to complete the tasks. To make sure that the team understands what they are expected to deliver the team leader must specify the minimum criteria for completeness. This is effectively a set of tasks which explicitly defines what needs to be done. This will include testing, preparing for a demo (including what features are required to demo) and building and deploying. The goal of the team needs to be specified so that all the development team understands what is expected from them. The team needs to be made responsible for delivering the demonstration and the whole team needs to be involved with its preparation. This means that whilst the demonstration is being prepared and the software is being built and deployed, any problems are resolved as soon as possible by the development team. In addition to this any short fall in specification needs to be identified as early as possible so that the customer can be notified and/or the problem resolved before the item is delivered as complete. It is the team leaders’ responsibility to ensure that all this happens, if the delivery is not successful then is it not acceptable for the team leader to blame any member of the team. They are ultimately responsible for the successful delivery.

Aligning the perspective of completeness of the customer, team leader and developer is one of the key to successful software developments. The team leader is the catalyst for this alignment and needs to be able to communicate effectively with the customer and the developer; to understand what is required and to communicate this to the development team.

MVC &amp; Windows Workflow - Controlling page order - Part 1

Having read the article in MSDN magazine about the Microsoft MVC, I decided to have a go myself, I also though it would be a good idea to try to combine this with Windows Workflow and see if I can control the order of pages based upon the state of a workflow state machine. In Part 1 I build the MVC application with a simple model that determines the page order of a wizard type interface. Part 2, which is coming as soon as I manage to write it up and tidy up my demo :), adds the work flow element to the model. [download PDF source]