Integrating ADFS for CorpNet users with ACS via toolkit 1.3.2

Jan 16, 2012 at 8:49 PM

I'm developing a windows phone 7.1 application for Microsoft CorpNet users.  I've received an Onboarding certificate from the IAM AD Federated Service Team, which is tied specifically to my Azure site (wpmbi.cloudapp.net).  I've created a new Windows Phone Cloud Application project for the wp7 app but I'm having trouble configuring ACS. 

I've worked through the sample applications contained with the toolkit and was able to set up an identity provider that functioned properly with Windows Live Id, but I can't figure out how to extend that to CorpNet authentication.  I've created a WS-Federation identity provider, have added my Onboarding certificate to the Service Settings section, and have set up my Relying Party Application to use this identity provider and the Onboarding certificate for token signing and encryption.  I've named this identity provider, "CorpNet ADFS".

I have changed the settings in app.xaml to point to the cloud and have deployed the app.  The web role, which runs the Mobile Cloud Application Services Manager that was created with the project, runs fine in the cloud.  When I run the windows phone app in the emulator, it lists "CorpNet ADFS" under the "Log In" heading.  When I click on "CorpNet ADFS", I see "Contacting CorpNet ADFS" with the dynamic (red dots) ProgressIndicator scrolling across the page.  It never gets beyond this point.  There is no error.  It just never stops displaying the "Contacting CorpNet ADFS" message.

Could anyone point to an online sample that uses CorpNet for authentication, or perhaps suggest what specifically has to be set up in ACS to support that type of authentication?  Or, perhaps a suggestion of how to debug what is going on when the application contacts CorpNet and never returns?

Thanks,

Scott

Jan 19, 2012 at 9:24 PM

More information.  Now I can get to the CorpNet login page.  After I enter my username and password I get a quick flash of a white screen, but the token is never returned to the wp7 app.  I believe that I am reaching the authentication site after the submission because if I enter the wrong password it tells me so.  How can I debug this?  What specifically should I look for in the ACS settings that could cause this?  Could it be that CorpNet requires certficates specific to the calling site, but the app expects the token to be encrypted via SWT?  I'm pretty new to certificate-based credentials.  Any guidance would help.

Coordinator
Jan 24, 2012 at 2:58 AM

Let's connect via email. Can you ping me at waztoolkitwp7@microsoft.com? Thanks!

Jan 25, 2012 at 10:43 PM

I'll answer my own questions in case anyone else is trying to make ACS work with CorpNet, or another entity that requires a site-specific certificate.  My problem was a configuration issue.  I got it to work, like this:

1.) Create an ADFS identity provider, using the following URL for the WS-Federation metadata:

https://corp.sts.microsoft.com/FederationMetadata/2007-06/FederationMetadata.xml

2.)  Create a relying party application as follows:

   a.)  Realm:  Your application url (e.g. http://yourapp.cloudapp.net/)

   b.)  Token Format:  SWT

   c.)  Identity Provider:  The one you created in step #1.

   d.)  Token Signing Certificate:  Create new 256-bit Symmetric Key (click the Generate button) with "Type:  Symmetric Key" selected.

   e.)  Token Encryption Certificate:  A .cer certificate file made by exporting your onboarded certificate without the private key (don't forget to include all chain certs in the export).

   f.)   Token Decryption Certificate:  A .pfx certificate file made by exporting your onboarded certificate with the private key (don't forget to include all chain certs in the export).

   g.)  Rule Group:  Use default or create a new one that utilizes your claims.

The problem that I had was that I thought I should set the token format to SAML 2.0 since that is what the CorpNet issuer uses.  The SAML token was being returned but the toolkit app didn't know what to do with it.  I didn't realize that the ACS relying party can be set to SWT and the ACW will handle the conversion from SAML to SWT before returning it to your toolkit-based app.  Once I had everything in place, the authentication went smoothly.

 

Jul 19, 2012 at 9:38 AM

Thanks for sharing. Your Point 1 helped in my case