I pointed out in an earlier post that delegated authentication is the recommended way for a website to provide access to a user’s mesh using LiveFX. By using delegated authentication a user remains in complete control of the access to the mesh that the application has – both with regard to what parts and the duration of that permission.
Apparently people have encountered problems configuring delegated authentication for a Windows Azure website. In this post, I will describe how to use delegated authentication with Windows Azure to access a user’s mesh using LiveFX. This solution has two parts:
- Create a CNAME record pointing a non-Azure domain to an Azure domain.
- Configure an Azure Hosted Services project AND a Live Services: Live Framework application.
Steve Marx has a really useful post describing how to use a non-Azure domain with an Azure Hosted Service. The difficulty in doing this is that the Azure Hosted Service does not have a permanent IP address. Steve Marx explains the problem and solution:
In general, you have two options for setting up a domain name to point to a location. The first is to use an A record to point to a specific IP address, but as we just discussed, this isn’t an option in Windows Azure where the IP address may change. The second method is to use a CNAME record, which can map a specific subdomain to another (named) DNS entry. This is what you need to do to map your domain to a Windows Azure application.
Configure Azure Hosted Service and a Live Services: Live Framework Application
The trick to getting delegated authentication working with Windows Azure is to use two separate projects: an Azure Hosted Service project for the website; and a Live Services: Live Framework Application project to contain the delegated authentication configuration.
The Azure Hosted Service configuration is done precisely as for any other Azure website. In the configuration on the Azure Portal the Domain MUST be the domain to which the CNAME record points to. For example:
Return URL: http://bartlebooth.cloudapp.net
The Live Services: Live Framework Application configuration, on both the Azure portal and the websites web.config file, is done precisely as for any other website using delegate authentication except that the external domain is used for the Domain and the Return URL rather than the Azure domain. For example:
Return URL: http://www.bartlebooth.com/AuthHandler.aspx
I put a very primitive demonstration of this at http://www.bartlebooth.com which I will probably leave up for a few days – with downtime for occasional refreshes. The demonstration is based on a project from the Live ID Delegated Authentication SDK with trivial tweaks to access and expose, with the user’s consent, the names of the live folders from the user’s Live Framework CTP mesh. UPDATE 9/14/2010 This demonstration project no longer exists.
Note that you can only sign-in to the Live Framework CTP mesh if you have registered to use the Live Framework. You will be redirected to the Live Framework CTP registration screen if you attempt to sign-in before you have registered.