1. Create the Windows Azure namespace and configure the Service Bus, as explained in Microsoft
Dynamics AX Connector for Mobile Applications.
2. Add the Service Bus as the relying party in the ACS. In this way, the ACS is responsible for providing security to the Service Bus. For more information, see the “Configuring the Access Control Service; Configure the relying party applications” section in Microsoft Dynamics AX
3. Set up trust between AD FS 2.0 and the ACS.
The Active Directory server acts as the identity provider. It contains information about the corporate users and authenticates a user’s identity. Configure AD FS on the Active Directory server. The AD FS is also a security token service (STS) that provides security tokens to requestors.
Configure AD FS to trust only requests coming from the ACS of the Service Bus for the namespace that you created. For example, add the endpoint https://contosomobile- sb.accesscontrol.windows.net as a relying party in the AD FS by providing the federation metadata URL exposed by the ACS. For more information, see the “Configuring an Active Directory Federation Service for authentication” section in Microsoft Dynamics AX Connector
for Mobile Applications.
Configure the ACS to trust claims coming from the AD FS. To do this, go to your namespace’s Management Portal for the ACS, and add the AD FS as an identity provider in the Identity
Provider configuration section. You will need to add the federation metadata URL exposed
by the AD FS server. For more information, see the “Configuring the Access Control Service; Add and configure the identity provider” section in Microsoft Dynamics AX Connector for
Mobile Applications.
4. Map incoming claims to outgoing claims in the ACS. These claims will be inspected by Service Bus. An incoming claim of the windowsaccountname type should be mapped to an outgoing claim of the net.windows.servicebus.action type with a value of Send. (For more information, see the “Configuring the Access Control Service; Configure rule groups” section in Microsoft Dynamics AX
Connector for Mobile Applications.) This will ensure that any authenticated user having the
windowsaccountname claim sent by the AD FS is authorized to send a message through the
Service Bus.
5. Set up trust between the middle-tier WCF service and the corporate AD FS.
The AD FS uses an X.509 token signing certificate issued by a CA to digitally sign the SAML token containing the claims about the user. For more information, see the “Configuring an Active Directory Federation Service for authentication; Add/Configure the token signing certificate” section in Microsoft Dynamics AX Connector for Mobile Applications.
When setting up the trust, observe the following guidelines:
The X.509 token signing certificate needs to be installed in the Trusted Root Certification store on the machine that hosts the middle-tier WCF service.
The thumbprint of the certificate should be made available to this service. By using this thumbprint, the service can verify that the claims are from an authorized and trusted issuer.
Overview
After collecting the information from the user on the mobile device, we now need to submit the data to Microsoft Dynamics AX. Only those users who are authenticated are authorized to send this data through the Service Bus to Microsoft Dynamics AX. The ACS and AD FS (which acts as an identity provider and a security token service) cooperate to authenticate and authorize Service Bus operations. The claims obtained from the identity provider are also used to extract information about the user in the middle-tier service. Authorization of Microsoft Dynamics AX users according to their Microsoft Dynamics AX roles and privileges will be handled by the Microsoft Dynamics AX instance itself. We use active federation and the WS-Trust security protocol to request a security token (containing the required claim) from the identity provider (corporate AD FS).
After the security token is presented to the ACS, it recognizes the identity of the user. As was
mentioned in the prerequisites, the incoming claims are mapped to the Send outgoing claims that are recognized by the Service Bus for which the ACS is providing security. A claim is then issued to the client by the ACS in the form of a simple web token (SWT).
When the client is ready to send its message through the Service Bus endpoint, it presents the SWT, thus granting it permission to send the message. For our solution, the client is also required to send across to the middle-tier service, the SAML assertions token that it received from the AD FS. The service then extracts the assertion claims, as we saw in the walkthrough for the middle-tier WCF service.
The following steps will show how we implement the required authentication described earlier.
Development requirements
You can implement the authentication described in the next section in the same Windows Phone app project or in a compatible Windows Phone class library, which you can then reference in the app (if you plan to reuse the authentication code).
If you are implementing a client (Windows Phone 8 or Windows 8 Store app) in Visual Studio 2012, consider creating a Portable Class Library for the authentication and including the library in your client application.