I’ve used the Shibboleth Service Provider (SP) for authentication of web applications running on my own IIS web servers. I wrote a simple ASP.Net web site in Visual Studio and configured it to run in IIS and then added the Shibboleth SP to it. This is a fairly straightforward task with much of the work done for you by the Shibboleth SP installer. The only thing that remained to be done after the SP installation was updating some configuration files and registering my SP with my university’s IdP. Having completed this project I wondered if this process could be repeated using Azure as the web hoster.
Shibboleth Service Provider
The Shibboleth SP comes in two flavors: IIS and Apache. As I outlined in my prior post, there are several different options for web hosting in Azure. I could create a virtual machine running either Windows or Linux and install the Apache web server on it. I’m not going down that road for a variety of reasons that I’ve already noted. The simple web site option won’t work because it doesn’t support SSL or startup scripts. That leaves the option of exploring the Cloud Service and its IIS web role to do this Shibboleth SP hosting.
The IIS version of the Shibboleth SP is composed of two parts, an ISAPI filter DLL that intercepts requests before they reach your web application code and a Windows service that maintains SP state. The SP is packaged as an MSI and is installed by the Windows installer. This means that there must be a way to run the MSI on your Azure web host before the web application starts. Fortunately the Cloud Service web role can be configured to run startup scripts. There is another wrinkle to consider. The Shibboleth SP MSI uses the IIS 6.0 compatibility API to install its ISAPI filter. I did a bit of experimenting and discovered that the Azure Windows Server 2012 web role does not have the IIS 6.0 compatibility API installed. Thus additional startup steps are required.
Steps to Create an Azure Cloud Service Web App
The analog to creating a local IIS web app is to create an Azure cloud service web role. To create an Azure web site you need to have an Azure subscription. There are several ways to obtain said subscription. One option is to sign up for a 90-day free trial. If you do this you must cancel within those initial 90 days or charges will begin to accrue. If you have an MSDN subscription, that entitles you to a $100/month subsidy for Azure services. This is a good way to kick the tires and even to run a small web site. Azure only supports two different kind of user login accounts: Live accounts or Office 365 accounts. Since MSDN also requires the use of a Live account, this is a straightforward way to get an Azure subscription.
With a subscription in hand, you can log into the Azure Management Portal using the corresponding Live or Office 365 account. The next step is to create a new web application. The Azure documentation on creating a cloud service is here.
This blog post assumes you are using Visual Studio. The steps I describe apply to both VS 2010 and VS 2012 although the later version has more built-in support.
- Install the Windows Azure SDK. The version that is current as of the writing of this post is 2.0. This installs VS templates and extends the VS menus with Azure-specific commands. It also installs Azure libraries and tools.
- Open VS and create a new project using the Visual C# Cloud template.
- Go with the default .Net framework version. With VS 2010 that is 4.0. With VS 2012, that is 4.5. The .Net version support is one of the biggest differences between VS versions.
- You will need to name the project. Use whatever name makes sense to you; this name will not be used by Azure.
- Leave the “Create directory for solution” checkbox checked.
- After you click OK the “New Windows Cloud Service” dialog will open. It lists 3 ASP.Net web role templates along with others. Choose whichever template you may be familiar with using. If you are not familiar with ASP.Net, then beware; all of these are complex web application templates. I chose the ASP.Net Web Role and discovered that it created several hundred web site files. Yikes! VS does have an “Empty ASP.Net web site” template, but it is not available as one of the cloud service roles. At any rate, you can accept the proposed name of WebRole1 or you can click on the name and an edit icon (a pencil) appears. If you click on the pencil you can rename the web role to something more meaningful to your web application. When you click OK VS whirs away for a while and then presents to you the beginnings of a web application.
- Create whatever basic web site functionality you may want. Build it and run it to ensure it works.
- Sign up for an Azure account and log in to the Azure Management Portal
- Create a Cloud Service application. You can use the quick create option.
- You will need to choose a URL. Whatever you choose will be prepended to .cloudapp.net. It is possible to use your own full DNS name, but I won’t go into that here. Rather, you need to choose a name that is unique within the cloudapp.net namespace. For example, if you choose myshibbolethsp, then your web site’s URL will be https://myshibbolethsp.cloudapp.net.
- You should select a region that is close to your location to keep latency and transfer time to a minimum.
- If you have more than one Azure subscription, you will be asked which to use for this new cloud service.
- When you are done you will have an empty cloud service with no running instances.
- Now upload your web application to Azure. Go to the Visual Studio Solution Explorer. There will be a cloud service project in addition to the web role project. Right-click on the cloud service project and choose Publish…
- This opens the Publish Windows Azure Application wizard. Follow the steps in this MSDN Article to complete the upload.
- Choose the option to enable remote desktop. The Azure tools automatically create a remote-session encryption certificate and does the VS and Azure configuration for remote desktop.
- It will ask you for a storage account for debugging. You can create one if you don’t already have one. It won’t actually be used unless you add Azure debug logging to your code.
- Since this is a test cloud service you can select deploy to production. Staging would have a different URL which will complicate things unnecessarily.
- It takes a while to upload the project packages and then start the web role. You can monitor the progress in the VS output pane.
- You can try to access the web site after VS says it has successfully deployed. You can also go to the Azure Developer’s Portal to monitor and/or configure your new cloud service application.
Now that you have a running Azure cloud service application, you can configure it for SAML authentication using the Shibboleth SP. I will demonstrate how to do that in my next post.