Configure Your Deployment for ACS

To configure your Microsoft Dynamics NAV deployment to use Windows Azure Access Control Service (ACS) authentication requires a series of configuration operations in the Azure Management Portal:

  • Create a namespace.

  • Configure the namespace.

  • Specify relying party applications.

  • Add a rule group.

  • Add a logon page for relying party applications.

Create a Namespace

To create a namespace, follow these steps:

  1. In the Azure Management Portal, choose the Service Bus, Access Control, and Caching button.

  2. Choose the New Service Namespace button.

    Service Namespace

  3. In the Create a New Service Namespace dialog box, enter the following information.

    Field Description

    Namespace

    Enter a name for the namespace. The name can be any text. For example, you can enter the name of your company for the namespace name.

    Select the Check Availability button to verify that your proposed name is still available. If it is not available, try another name.

    Country/Region

    Choose a locale.

    Choose the same locale that you used for your deployment.

    Subscription

    Choose your subscription.

  4. Choose Create Namespace.

Configure the Namespace

After the Status of your namespace becomes Active, you can continue with configuring ACS for the namespace.

  1. Select your namespace. On the Manage Access Control menu, choose the Access Control Service button.

    Manage Access Control

    Note

    If this button is not available, you may want to obtain Portal Administrator permission for the namespace. Ask the Service Administrator for the Azure subscription to grant you this permission. Co-administrator permission is sufficient for creating a namespace, but not for managing ACS.

  2. In the left pane of the Access Control Service section of the Azure Management portal, choose Identity Providers to open a page of the same name.

    An identity provider is an organization that provides authentication services that you can use as your ACS authentication mechanism. There are five possible identity providers. Windows Live ID is the default identity provider. Two of the other options require no configuration: Google and Yahoo!. The final two require additional configuration: Facebook and Active Directory Federation Services (AD FS). AD FS lets users authenticate by logging on to their corporate account, which is managed by Active Directory. For more information about how to configure an AD FS identity provider, see How to: Configure an AD FS 2.0 Identity Provider.

  3. Select the identity providers that you want to make available to the users. You can choose as few as one, such as just Windows Live ID, or as many as all five identity providers.

Specify Relying Party Applications

Relying party applications are the websites, applications, and services for which you want to use ACS to implement Shared Services authentication. In this case, the relying party applications are Microsoft Dynamics NAV clients.

  1. In the left pane of the Access Control Service section of the Azure Management portal, choose Relying Party Applications to open a page of the same name.

  2. Choose Add to open the Add Relying Party Application page.

  3. In the Name field, provide a name for the application.

    A typical value would be the name of the organization for which the deployment was created.

  4. In the Mode field, select Enter settings manually.

  5. In the Realm field, enter the DNS name of the Microsoft Dynamics NAV Server component.

  6. In the Return URL field, enter https://localhost/<name>. Replace <name> with the name that you provided in step 3.

  7. Skip the Error URL field.

  8. In the Token format field, select SWT.

    SAML tokens are not supported.

    A Token Signing Settings area appears in the lower part of the page. Move down to this section.

  9. Choose the Generate button for the Token signing key field.

  10. Copy the string of characters that automatically populate the field.

    You will use this string to update the TokenSigningKey in the server configuration.

    JJ863496.security(en-us,NAV.70).gifSecurity Note
    You cannot configure this signing key to expire. To help secure your deployment, schedule a regeneration of this key regularly.
  11. Choose the Save button to save your relying party application configuration.

Add a Rule Group

Rule groups define how claims are passed from identity providers to your relying party applications.

  1. In the left pane of the Access Control Service section of the Azure Management portal, choose Rule groups.

  2. Chose the default rule group for the relying party applications that you just created.

  3. On the Edit Rule Group page, choose Generate. In the Generate Rules page, choose the Generate button.

  4. Choose the Save button.

Add a Login Page for Relying Party Applications

The final step in the Access Control configuration is to add a Shared Services logon page to your relying party application. There is where your user can present credentials for the configured identity provider.

  1. In the left pane of the Access Control Service section of the Azure Management portal, choose Application Integration.

  2. On the Application Integration page, choose Login Pages.

  3. Select your relying party application.

  4. Under Option 1: Link to an ACS-hosted logon page, copy the URI from the first text box to Notepad.

  5. In Notepad, replace any instances of the ampersand character (&) with %26.

    You will use this URI in the server configuration for ACS.

Next Steps

During the configuration of your deployment for ACS, you have saved two values:

  • The string of characters from the Token signing key field in the Add Relying Party Application page.

  • The URI for your relying party application from the Application Integration section.

You will need these values for the next stage in the ACS configuration process, which is configuring your Microsoft Dynamics NAV components for ACS. For more information, see Configure Microsoft Dynamics NAV Components for ACS.

See Also

Tasks

How to: Change an ACS Configuration to Support Single Sign-On with Office 365 and SharePoint