Authenticate Orchard users with AppFabric Access Control Service

Edit on GitHub

From the initial release of Orchard, the new .NET CMS, I have been wondering how difficult (or easy) it would be to integrate external (“federated”) authentication like Windows Azure AppFabric Access Control Service with it. After a few attempts, I managed to wrap-up a module for Orchard which does that: Authentication.Federated.

After installing, configuring and enabling this module, Orchard’s logon page is replaced with any SAML 2.0 STS that you configure. To give you a quick idea of what this looks like, here are a few screenshots:

Orchard Log On link is being overriddenOrchard authentication via AppFabricOrchard authenticated via SAML - Username is from the username claim

As you can see from the sequence above, Authentication.Federated does the following:

  • Override the default logon link
  • Redirect to the configured STS issuer URL
  • Use claims like username or nameidentifier to register the external user with Orchard. Optionally, it is also possible to configure roles through claims.

Just as a reference, I’ll show you how to configure the module.

Configuring Authentication.Federated – Windows Azure AppFabric side

In my tests, I’ve been using the AppFabric LABS release, over at From there, create a new namespace and configure Access Control Service with the following settings:

Identity Providers

  • Pick the ones you want… I chose Windows Live ID and Google

Relying Party Applications

Add your application here, using the following settings:

  • Name: pick one :-)
  • Realm: The http(s) root URL for your site. When using a local Orchard CMS installation on localhost, enter a non-localhost URL here, e.g.
  • Return URL: The root URL of your site. I chose http://localhost:12758/ here to test my local Orchard CMS installation
  • Error URL: anything you want
  • Token format: SAML 2.0
  • Token encryption: none
  • Token lifetime: anything you want
  • Identity providers: the ones you want
  • Rule groups: Create new rule group
  • Token signing certificate: create a Service Namespace token and upload a certificate for it. This can be self-signed. Ensure you know the certificate thumbprint as we will need this later on.

Edit Rule Group

Edit the newly created rule group. Click “generate” to generate some default rules for the identity providers chosen, so that nameidentifier and email claims are passed to Orchard CMS. Also, if you want to be the site administrator later on, ensure you issue a roles claim for your Google/Windows Live ID, like so:

Add a role claim for your administrator

Configuring Authentication.Federated – Orchard side

In Orchard, download Authentication.Federated from the modules gallery and enable it. After that, you’ll find the configuration settings under the general “Settings” menu item in the Orchard dashboard:

Authentication.Federated configuration

These settings speak for themselves mostly, but I want to give you some pointers:

  • Enable federated authentication? – Enables the module. Ensure you’ve first tested the configuration before enabling it. If you don’t, you may lose access to your Orchard installation unless you do some database fiddling…
  • Translate claims to Orchard user properties? – Will use claims values to enrich user data.
  • Translate claims to Orchard roles? – Will assign Orchard roles based on the Roles claim
  • Prefix for federated usernames (e.g. "federated_") – Just a prefix for federated users.
  • STS issuer URL – The STS issuer URL, most likely the root for your STS, e.g.">https://<account>
  • STS login page URL – The STS’ login page, e.g.">https://<account>
  • Realm – The realm configured in the Windows Azure AppFabric Access Control Service settings
  • Return URL base – The root URL for your website
  • Audience URL – Best to set this identical to the realm URL
  • X509 certificate thumbprint (used for issuer URL token signing) – The token signing certificate thumbprint

This is an imported post. It was imported from my old blog using an automated tool and may contain formatting errors and/or broken images.

Leave a Comment


6 responses

  1. Avatar for Louis DeJardin
    Louis DeJardin February 15th, 2011

    Very nice!

    I have to say: it's one thing to strive to allow an authentication and authorization to be extended, but it's another thing altogether to see such an unexpected and deep extension to the system published as a module. Well done!

  2. Avatar for maartenba
    maartenba February 15th, 2011

    Thanks for the thumbs up!

  3. Avatar for Stu
    Stu March 12th, 2011

    I'm receving this error wehn working with Orchard and WLID:

    Token not issued by access control service. Ensure thumbprint and STS issuer URK are configured correctly.

    I've verified the thumbnail 20 different ways, the STS issuer URL is right, The audience is right... What am I doing wrong?

    I also have everything set up almost identically as the examples. Any help would be appreciated...


  4. Avatar for Andreas Zahnbleaching
    Andreas Zahnbleaching June 28th, 2011

    I&#39m getting the exact same error message - which is why I found this blog in the first place. I too would appreciate any help because I really don&#39t seem to be able to come up with a solution. Running low on caffeine already.

  5. Avatar for Brian
    Brian August 26th, 2011

    Hey thanks for this.
    I was wondering if it&#39s possible to store claims other than just username and email against the Orchard user properties? Any advice is appreciated.

  6. Avatar for maartenba
    maartenba August 30th, 2011

    That should be possible, but not out of the box. You&#39ll have to crack open the code but it&#39s fairly easy to do.