Using Delegated Authentication to Access LiveFX from Windows Azure

I pointed out in an earlier post that delegated authentication is the recommended way for a website to provide access to a user’s mesh using LiveFX. By using delegated authentication a user remains in complete control of the access to the mesh that the application has – both with regard to what parts and the duration of that permission.

Apparently people have encountered problems configuring delegated authentication for a Windows Azure website. In this post, I will describe how to use delegated authentication with Windows Azure to access a user’s mesh using LiveFX. This solution has two parts:

  • Create a CNAME record pointing a non-Azure domain to an Azure domain.
  • Configure an Azure Hosted Services project AND a Live Services: Live Framework application.

CNAME record

Steve Marx has a really useful post describing how to use a non-Azure domain with an Azure Hosted Service.  The difficulty in doing this is that the Azure Hosted Service does not have a permanent IP address. Steve Marx explains the problem and solution:

In general, you have two options for setting up a domain name to point to a location.  The first is to use an A record to point to a specific IP address, but as we just discussed, this isn’t an option in Windows Azure where the IP address may change.  The second method is to use a CNAME record, which can map a specific subdomain to another (named) DNS entry.  This is what you need to do to map your domain to a Windows Azure application.

In his post he describes precisely how to do this for a domain registered with GoDaddy. This allows, for example, to be pointed at

Configure Azure Hosted Service and a Live Services: Live Framework Application

The trick to getting delegated authentication working with Windows Azure is to use two separate projects: an Azure Hosted Service project for the website; and a Live Services: Live Framework Application project to contain the delegated authentication configuration.

The Azure Hosted Service configuration is done precisely as for any other Azure website. In the configuration on the Azure Portal the Domain MUST be the domain to which the CNAME record points to. For example:


Return URL:

The Live Services: Live Framework Application configuration, on both the Azure portal and the websites web.config file, is done precisely as for any other website using delegate authentication except that the external domain is used for the Domain and the Return URL rather than the Azure domain. For example:


Return URL:


I put a very primitive demonstration of this at which I will probably leave up for a few days – with downtime for occasional refreshes. The demonstration is based on a project from the Live ID Delegated Authentication SDK with trivial tweaks to access and expose, with the user’s consent, the names of the live folders from the user’s Live Framework CTP mesh. UPDATE 9/14/2010 This demonstration project no longer exists.

UPDATE 5/7/2009

Note that you can only sign-in to the Live Framework CTP mesh if you have registered to use the Live Framework. You will be redirected to the Live Framework CTP registration screen if you attempt to sign-in before you have registered.


About Neil Mackenzie

Cloud Solutions Architect. Microsoft
This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to Using Delegated Authentication to Access LiveFX from Windows Azure

  1. Oran says:

    Awesome work! I’ve been meaning to see if this can also be done using .NET Service Bus as a reverse proxy [1] but haven’t had time and probably won’t find time for a while. I imagine that would let you easily swap the Azure service between and the localhost fabric without changing the delauth stuff.[1]

  2. Jamie says:

    Neil,When I’m redirected back to should I expect to see the names of the folders I’ve granted access to because I’m not seeing them? It might be useful to display them just to emphasize exactly what’s being done here.-Jamie

  3. Neil says:

    Jamie -After the redirect, you should see a screen with various "Click here" links. If you press "Click here to connect to the Live Operating Environment" the window should refresh displaying a new line with a text similar to "Jamie Thomson is now connected. Mesh Folders for Jamie Thomson : Massive Attack, Portishead,". This is assuming you have two root folders named Massive Attack and Portishead and you selected them during the consent phase.I wanted to keep the LOE connection separate during development so I had more control over where something might have gone wrong. I admit the interface is not pretty but, as I said, I just used the example from the Delegated Authentication SDK and didn’t want to change it too much.I think the Live ID Consent page could be improved somewhat because it is cramped and not that obvious – you have to understand the process in order to know to drill down to select the folders. Further, I can only ask for access to an arbitrary mesh object if I know its type – which is why the demo uses only folders. When I request that access, the Live ID Consent page gives me an opportunity to open a second list at the bottom of the page completely separate from the folders list.

  4. Neil says:

    Oran -Thanks for the comments. Your pointer to Clemens Vasters blog looks interesting. I have only looked briefly at .Net Services. It looked interesting but with a steep WCF learning curve to really understand what was going on.

  5. Jamie says:

    Ah gotcha, cheers Neil. Any chance you could make that more obvious? I want to send some of my colleagues over here so that they can understand this a little better.Liking the Bristolian references by the way – a man after my own musical heart 🙂

  6. Neil says:

    Jamie -I cleaned up the website and added text explaining each step. It is still not the best-looking website I’ve ever seen but I would probably need to rewrite the whole thing for that kind of cleanup.The Bristolian references remind me of the time I worked there – although that was in a time before Massive Attack.

  7. Jamie says:

    cool, thanks Neil.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s