Advertisements

Configure your Dynamics CRM as identity provider for an external web application

How common in these days is to land up in a website where you see login via facebook or login via your gmail. Many times for our projects we need to develop a custom asp.net web portal which where users might need to authenticate with Microsoft Dynamics and fetch data. In this example, I will show you how to configure single sign-on between you external web application and Dynamics CRM online.

I will achieve this using the Access Control services (ACS) feature in Microsoft Azure.

  • The first step to use ACS is to create a Access Control namespace in Azure. Login to the azure portal and create a access control namespace.

image

  • Once the namespace is created successfully, click on ‘Manage’ at the bottom of the screen.

image

  • The management portal will open.  Click on Management Service –> Symmetric Key –>  Copy the key. Store it as you would need this later.

 

image

image

image

  • Now we need have to add the access control namespace as an application in the CRM Active directory. For this go to CRM AD and add a web application or web api with Sign On URI and App Id Uri both as .accesscontrol.windows.net/">https://<service bus namespace>.accesscontrol.windows.net/. In case you are not aware of how to add an application to Azure AD, I would strongly suggest to go through my below blog post where I have explained in depth on how to add an application and configure the same.

https://debajmecrm.com/2016/02/23/understanding-in-depth-cross-origin-resource-sharing-cors-in-dynamics-crm-2016/

  • Once the application is added, open the application and click on View Endpoints at the bottom of the screen. Copy the federation metatadata url from the pop-up.

image

  • Now to go Access Control Namespace management portal one more time (Access Control Namespace –> Manage) and set up Dynamics CRM as Identity provider. Enter the below information in the identity provider screen.

image

As you can see, in the WS-Federation Metadata, I have entered the federation metadata URL that I copied from the earlier step. Click on Save and you are done with the changes in the Azure Management portal.

  • Create a ASP.NET web application project with just a single page. I have named my page as default.aspx. I will demo this using visual studio 2012 since I will use the identity and access tool extension which is there for VS 2012. My default.aspx page just contains a grid view.

image

  • Make sure in the project properties, the target framework is 4.5 (not 4.5.1 or 4.5.2)
  • In the default.aspx.cs, just enter the below code.

public partial class _default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (System.Threading.Thread.CurrentPrincipal.Identity is ClaimsIdentity)
            {
                var claimsIdentity = (ClaimsIdentity)System.Threading.Thread.CurrentPrincipal.Identity;
                var claimsData = new List<ClaimsData>();

                foreach (var claim in claimsIdentity.Claims)
                {
                    var claimData = new ClaimsData
                    {
                        ClaimValue = claim.Value,
                        ClaimType = claim.Type,
                        ClaimValueType = claim.ValueType
                    };

                    claimsData.Add(claimData);
                }

                this.ClaimsGrid.DataSource = claimsData;
                this.ClaimsGrid.DataBind();
            }
        }
    }

    class ClaimsData
    {
        public string ClaimValue { get; set; }

        public string ClaimType { get; set; }

        public string ClaimValueType { get; set; }
    }

 

  • Now right click the project and select Identity and access from the menu. If you do not see this option, download the Identity and access extension for Visual studio – Identity and Access Tool. You may need to restart the visual studio for the changes to reflect. If even after installation, you are not able to see this menu option, make sure you are running your project in .NET Framework 4.5 to be exact.
  • In the providers tab, select ‘Use the Azure Access Control Service’

image

  • Click the ‘Configure’ link

image

  • Enter the name of the access control namespace and the symmetric key that we copied at the very beginning of this article from the management portal.

image

  • Click on ‘OK” and you are all set. Your web.config would be updated accordingly.
  • Now when you run the application, you are redirected to the Microsoft login page and once you enter your correct CRM credentials, you will be redirected to your default page with the appropriate claims. The code in the page load of default.aspx.cs pasted above parses the claims and binds it to a gridview. The below is the final screenshot as it look on my screen.

image

As you can see from the above screenshot, we get multiple claims including the logon name which we can use to retrieve data in the context of the authenticated user.

So you have achieved single-sign on for your application with Dynamics CRM acting as the identity provider. Wasn’t that easy? Well windows azure ACS makes that easy for you.

Hope this helps!

Advertisements

About Debajit
I am a Dynamics CRM Most Valuable Professional (MVP) with 10 years of experience in Microsoft .NET Technologies and 7 years of dedicated experience in Microsoft Dynamics CRM. I have worked with companies like Microsoft, SanDisk, PwC, TMF Group and have extensive experience of implementing complex CRM solutions from both offshore and client side. Currently the face of XrmForYou.com with significant experience in delivering corporate training on Dynamics CRM and have already delivered multiple projects to client through XrmForYou.com Author of multiple tools on codeplex including the 'Role Based Views' and 'CRM-Sharepoint Metadata manager & Attachment Extractor' which are available for commercial use under XrmForYou.com For consulting/ training, drop me a note at info@xrmforyou.com or visit our website www.xrmforyou.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: