Image may be NSFW.
Clik here to view.
If you follow my other blog you might have noticed that I’m really into the Belgian eID. Needless to say I had to look at how we can use the Belgian eID in Windows Azure. In this series I’ll show you how you can integrate it with your existing or future cloud projects.
We’ll start by taking a look at the eID Identity Provider (or eID IdP), an open source project hosted on code.google.com: http://code.google.com/p/eid-idp/. The IdP runs in JBoss and uses a relational database (like MySQL, PostgreSQL, …). To keep things simple, we won’t be looking at how you can install the IdP.
Besides running the eID IdP yourself, you can also use the hosted version on the e-Contract website (managed by Frank Cornelis, one of the contributors of the eID IdP project). The following page shows the supported protocols: https://www.e-contract.be/eid-idp/main
Since we’re going to use Windows Identity Foundation, these metadata endpoints seem to be the most appropriate:
- WS-Federation Identification Metadata
- WS-Federation Authentication Metadata
- WS-Federation Authentication and Identification Metadata
If you look at the claims offered by the WS-Federation Authentication and Identification endpoint, it seems we can get access to some useful information:
Enough chitchat, show me some code!
Setting up the web application
We’re going to build a webrole that will use the eID IdP for authentication and identification. To build this application you’ll need the Azure SDK, ASP.NET MVC3, the WIF SDK and the WIF runtime:
Create a new Windows Azure project, add an ASP.NET MVC 3 web role and choose the Internet Application template. Now if you run the application and you’ll see that you can view the application without having to login, but this isn’t what we want. We would like to have an application that requires you to login using the eID IdP. This way we’ll know the user is authenticated without having to do the management of usernames, passwords, security, … And we’re actually externalizing the authentication.
Now right click the webrole and choose Add STS reference, fill in the application URI (in our case this is http://127.0.0.1 – this is the address that was assigned by the devfabric). Choose to use an existing STS: https://www.e-contract.be/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml, this endpoint will authenticate you (by asking your pincode) and identify you (get your information).
To get things working you’ll need to disable the request validation mode (see my previous post):
Claims! Claims! Claims!
Before we can run the application we’ll write some code to make everything go well and to display the claims we received from the eID IdP. It’s important to know that this IdP uses the realm URI as the return URL after a successful login. This means if you used http://127.0.0.1 as realm, you’ll be redirected here. But this isn’t what we want…
What we want is that the user gets redirected to an action like /Account/Display after a successful login (to show the user’s claims). To achieve this you’ll need to add the following code in the Global.asax file:
Ok this is a good starting point. Now, after a successful login, the user will be redirected to /Account/Display. This means we’ll need to write the required code in the AccountController. Let’s start with some helper functions that will allow us to get all the claims available for the current identity and an other function that will help us read the value for a specific claim:
Now with this code it will become very easy to write the required actions: Display and Photo. This Display action maps the claims to the UserInfo model and displays it in the view:
In the Display view we’ll simply show all properties of the model, but we’ll also show something else…
Yes… that’s right. We’ll show the user’s photo. One of the claims is the be:fedict:eid:idp:photo claim. This claim contains your picture encoded using standard Base64 encoding. And knowing this makes it very easy to build the Photo action:
The result
When you start the application, you’ll be redirected to the eID IdP:
Image may be NSFW.
Clik here to view.
After entering the PIN code the Java applet will start reading the eID and the eID IdP will redirect to the realm URI (in this case 127.0.0.1). Since we made that small change in the Global.asax file we’ll be redirected to /Account/Display after a successful login:
Image may be NSFW.
Clik here to view.
Download the code: waz-eid-part1.zip
Enjoy!