Configure your Dynamics CRM as identity provider for an external web application

How common in these days is to land up in a website where you see login via facebook or login via your gmail. Many times for our projects we need to develop a custom asp.net web portal which where users might need to authenticate with Microsoft Dynamics and fetch data. In this example, I will show you how to configure single sign-on between you external web application and Dynamics CRM online.

I will achieve this using the Access Control services (ACS) feature in Microsoft Azure.

  • The first step to use ACS is to create a Access Control namespace in Azure. Login to the azure portal and create a access control namespace.

image

  • Once the namespace is created successfully, click on ‘Manage’ at the bottom of the screen.

image

  • The management portal will open.  Click on Management Service –> Symmetric Key –>  Copy the key. Store it as you would need this later.

 

image

image

image

  • Now we need have to add the access control namespace as an application in the CRM Active directory. For this go to CRM AD and add a web application or web api with Sign On URI and App Id Uri both as .accesscontrol.windows.net/">https://<service bus namespace>.accesscontrol.windows.net/. In case you are not aware of how to add an application to Azure AD, I would strongly suggest to go through my below blog post where I have explained in depth on how to add an application and configure the same.

https://debajmecrm.com/understanding-in-depth-cross-origin-resource-sharing-cors-in-dynamics-crm-2016/

  • Once the application is added, open the application and click on View Endpoints at the bottom of the screen. Copy the federation metatadata url from the pop-up.

image

  • Now to go Access Control Namespace management portal one more time (Access Control Namespace –> Manage) and set up Dynamics CRM as Identity provider. Enter the below information in the identity provider screen.

image

As you can see, in the WS-Federation Metadata, I have entered the federation metadata URL that I copied from the earlier step. Click on Save and you are done with the changes in the Azure Management portal.

  • Create a ASP.NET web application project with just a single page. I have named my page as default.aspx. I will demo this using visual studio 2012 since I will use the identity and access tool extension which is there for VS 2012. My default.aspx page just contains a grid view.

image

  • Make sure in the project properties, the target framework is 4.5 (not 4.5.1 or 4.5.2)
  • In the default.aspx.cs, just enter the below code.

public partial class _default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (System.Threading.Thread.CurrentPrincipal.Identity is ClaimsIdentity)
            {
                var claimsIdentity = (ClaimsIdentity)System.Threading.Thread.CurrentPrincipal.Identity;
                var claimsData = new List<ClaimsData>();

                foreach (var claim in claimsIdentity.Claims)
                {
                    var claimData = new ClaimsData
                    {
               &#160
;        ClaimValue = claim.Value,
                        ClaimType = claim.Type,
                        ClaimValueType = claim.ValueType
                    };

                    claimsData.Add(claimData);
                }

                this.ClaimsGrid.DataSource = claimsData;
                this.ClaimsGrid.DataBind();
            }
        }
    }

    class ClaimsData
    {
        public string ClaimValue { get; set; }

        public string ClaimType { get; set; }

        public string ClaimValueType { get; set; }
    }

 

  • Now right click the project and select Identity and access from the menu. If you do not see this option, download the Identity and access extension for Visual studio – Identity and Access Tool. You may need to restart the visual studio for the changes to reflect. If even after installation, you are not able to see this menu option, make sure you are running your project in .NET Framework 4.5 to be exact.
  • In the providers tab, select ‘Use the Azure Access Control Service’

image

  • Click the ‘Configure’ link

image

  • Enter the name of the access control namespace and the symmetric key that we copied at the very beginning of this article from the management portal.

image

  • Click on ‘OK” and you are all set. Your web.config would be updated accordingly.
  • Now when you run the application, you are redirected to the Microsoft login page and once you enter your correct CRM credentials, you will be redirected to your default page with the appropriate claims. The code in the page load of default.aspx.cs pasted above parses the claims and binds it to a gridview. The below is the final screenshot as it look on my screen.

image

As you can see from the above screenshot, we get multiple claims including the logon name which we can use to retrieve data in the context of the authenticated user.

So you have achieved single-sign on for your application with Dynamics CRM acting as the identity provider. Wasn’t that easy? Well windows azure ACS makes that easy for you.

Hope this helps!


Discover more from Debajit's Power Apps & Dynamics 365 Blog

Subscribe to get the latest posts sent to your email.

9 thoughts on “Configure your Dynamics CRM as identity provider for an external web application”

  1. Hi Debajit,
    I have wcf service where am using native client app to connect to CRM api, this works fine locally where it prompts me to enter user credentials.But if same is deployed in app service(Azure) it doesn’t prompt be the login, how do I pass user crdentails.Please help me out.

  2. Hello Debajit,
    I’m trying to set this up but as I understand ACS is retired by Microsoft already. Any advice about how to do this today? Is it Azure AD B2C that I have to use instead of ACS? Thanks for your answer in advance.

    1. Hi Gabor
      thanks for reading my blog. are u trying to authenticate your web application with CRM as identity provider? if you tell me your scenario in more detail may be I can explain.
      -Debajit

      1. Hello,
        Sorry for the late answer.
        Yes, we have a web application and for the authentication we would like to use our CRM as identity provider, also two-factor authentication is a requirement. The web application is expecting some claims that CRM would provide.

        1. Hi Gabor,
          The current approach suggested now is to go with the Azure AD B2C route. Basically using CRM as identity provider now is using Azure AD in the background. To get the claims back from Azure AD to you web app, steps would be like
          1. Register your web application in Azure AD b2c tenant
          2. Register Azure Identify provider application. There you can set up the claims like user attributes and all.
          3. Create a user flow and run the user flow with your web application.
          You can follow the below links. Implemented it for a project and it works.
          https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers
          https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows
          Once authentication is done in your Web page you would find the claims returned from Azure AD which you configured creating the user flows.
          -Debajit

Comments are closed.

Discover more from Debajit's Power Apps & Dynamics 365 Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading