The Rain and The Shade

October 2, 2011

Azure Access Control Service Usage Scenario

Filed under: Windows Azure — ovaisakhter @ 11:19 pm

In my last post I discussed a bit about setting up and configuring the Access Control Service. I also gave you a pointer to read on how can you establish the trust between your application and ACS. So we are pretty much on our way with Authentication.

In most of the web applications you will not need  much of authorization. What we may need to do is to get some additional information from the user and remember that information when the user comes again. For this you will need to know the user’s identity. So that you can map this identity with your user related data stored in your application.

In some applications you may need to further refine user access based on roles. You can use the same pattern here, i.e. map the user roles stored in your application with the id provided by the Identity provider. If your identity provider provides role information you can get this information from ACS by effectively using Rules in ACS. You can keep the role information in the ACS and have it transmitted to the application as part of the information sent to the application(explained in previous post how can you accomplish this).

No matter what your requirement is or what ever pattern you choose to use the thing you will require is that you should be able to get hold all the information sent by ACS before any functionality of your application is called. In Asp.Net MVC this can be accomplished as follows.

Create a class in your application

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public sealed class AuthorizeAttribute :
                       FilterAttribute, IAuthorizationFilter
       public void OnAuthorization(AuthorizationContext filterContext)


this class defines an attribute which can be used on your Controller classes or methods. OnAuthorization method is called before any method of the controller is called which is decorated by this attribute.

    public class HomeController : Controller
        // GET: /Home/
        public ActionResult HomeView()
            return View();


You can enhance the attribute to take a take role(s) which are authorized to use this controller (or method if used on a method), I personally prefer getting a controller id and mapping that with roles in some configuration but this is a discussion of another time.

For now let us get hold of the information sent by the ACS and try to display that on your page. Once you can do that then you can map it, compare it or store it, as you like. The key in getting this information is in this statement

          var user = filterContext.RequestContext.HttpContext.User as IClaimsPrincipal;

IClaimPrincipal is the the interface which opens doors for the analysis of information sent by ACS.  It took me some effort to find out where I can get hold of this interface. This interface can be found in Microsoft.IdentityModel.dll present at the following location

“c:\Program Files\Reference Assemblies\Microsoft\Windows Identity Foundation\v3.5\Microsoft.IdentityModel.dll”

All the information provided by the Identity Providers is in the form of claims. This instance of the interface contains all the claims provided by ACS. These statements iterate through all the claims and add them to a string list. Later on we will display this list inside our page.

var claims = new List<string>();
           filterContext.Controller.ViewBag.ClaimsInfo = claims;
               claims.AddRange(from identity in user.Identities
                               from claim in identity.Claims
                               select string.Format("Claim:Name:{0}, Value:{1}", claim.ClaimType.Substring(claim.ClaimType.LastIndexOf("/")+1), claim.Value));

I have added the list to the ViewBag so that it is accessible from the view. this simple Razor markup will display this list in our page

@foreach (var item in ViewBag.ClaimsInfo)

Here is the output when I logged in using my Gmail account.


You can see the admin role injected by me in previous blog also.

Mostly we will be interested in the emailaddress claim we can use it to map the application user data with the logged in user.


Blog at