Windows 8, Azure ACS and TFS Preview Part I

TFS Preview is another flavor of famous Developer Collaboration Solution of Microsoft on Azure (still in preview).

In past opportunities I needed to integrate external solutions or extend it’s behavior by using TFS Web Services.

In this post I will show you how you can interop with TFS Preview in Azure Web Services in order to develop custom Apps, particularly Windows 8 Store Apps.

TFS Preview uses Windows Azure ACS and passive Windows Live ID Identity Provider. Check out this great article about the subject.

Passive Identity Providers are meant to be used interactively by a user authenticating into a Web Site. That’s were WIF might be used in a Web Site in order to support this kind of Authentication Providers.

The workflow overview is as follows (sorry for no having a nice picture):

1. When the user hits your Web Site, she is redirected to Azure ACS
2. ACS then replies back with the list of Identity Providers configured (i.e. Live ID, Yahoo, GMail, etc.), then she can choose one of them.
3. The user is then redirected to the Identity Provider’s Web Site and supplies it’s credentials.
   • This redirection is carried out with special parameters indicating the final Resource Web Site the user is trying to get.
4. After the IP (Identity Provider) authenticates the user, it generates an special Web Form as response.
   • The Form contains hidden input values with the token generated by the IP and some extra information.
   • The Form also performs an automatic Post (using JavaScript) to the final Resource Web Site (Cross Post)
5. The final Web Site then receives the Post with the authentication information and Authorizes the user (or not). If using ASP.NET you might be working with WIF here.
   • WIF understands this Form and uses an ASP.NET Handler to process the request.
6. Finally, the Resource Web Site responds with session cookies.

There are several protocols that can negotiate and obtain a security protocol between the ACS services and the relaying party. TFS Preview services use WS-Federation.

When TFS Preview authorizes the user (the last step in the previous workflow) it generates 2 session cookies called FedAuth and FedAuth1. They actually contain the Security Token of the session encoded en encrypted (the 2 cookies are meant to be joint together to form the Security Token).

On extra piece of information is need for this process to work, and that is the subscription name of the TFS Preview instance. The subscription name is the first name part in the TFS connection URL, i.e. javier.tfspreview.com.

The subscription URL (javier.tfspreview.com) act as the Resource to consume, so this URL is required before hand.

In the next post I will show you how to connect and query project names from TFS Preview using a WinRT App.