Single Sign On Between CRM Online and any web interface

Use Case

We need to integrate CRM Online with a separate non CRM system containing external data seamlessly.  Now we need to implement Single Sign On between the CRM Online instance and the non CRM system such that only CRM users are able to authenticate between the two system. 

The below example shows the various steps we need to implement Single Sign On between external web application and CRM using azure. Please refer to the screenshots attached for each subject.

1. Set up an active directory in azure.

1

2. Add users for whom we want to allow SSO. Note that the users added in the directory are standard Office 365 users who could also have access to any CRM instance

2

3. Create a standard MVC 4 Web Application, for the project set the SSL enabled to true.

3

4. Copy the URL and paste it in the Project URL properties as indicated below.

4

5. Go back to azure and create your application. Enable Single SSO for the application and paste the SSL url in APP ID URI. Copy the federated document URL.

5

6. Set the identity and access for the MVC project as shown below.

6

7. Now make the following change to the web config of the mvc application

<audienceUris>     

        <add value=”http://mvcssoapplication.cloudapp.net/&#8221; />

</audienceUris>

and

<system.identityModel.services>

    <federationConfiguration>

      <cookieHandler requireSsl=”false” />

<wsFederation passiveRedirectEnabled=”true” issuer=”https://login.windows.net/0582378d-79f3-4781-ae6f-73110b04ae02/wsfed&#8221; realm=”http://mvcssoapplication.cloudapp.net/&#8221; requireHttps=”false” />

    </federationConfiguration>

  </system.identityModel.services>

8. Now deploy the mvc application on azure.

9. Once that is done, only the user configured for Single Sign On will be able to access the mvc application page. Other users will get an authentication error.

Advertisements

Implementing impersonation in Single Sign On Between CRM and enternal Web Interface

Use Case

After we have implemented Single Sign On between CRM and external web interface, we need to impersonate the request to a particular CRM user.

  1. CRM uses record level security settings, this means that an user will have access to only those records whom its security role permits. The below screenshots show two users, each having access to specific Contact records.

1 2

 

 

 

  1. We have created an aspx page and have added SSO with the Azure active directory. In the code I have created an organization proxy and is retrieving the contact records from CRM from FetchContacts method.

protected void Page_Load(object sender, EventArgs e)

{

  FetchContacts();          

}

public void FetchContacts()

{

   ClientCredentials Credentials = new ClientCredentials();

   Credentials.UserName.UserName = “administrator2@crmazureintegration.onmicrosoft.com”;

   Credentials.UserName.Password = “pass@word1”;

   EntityCollection products = null;

 ————————–       

  1. Not being impersonated, it will ask for credentials to access the page. If I enter the credentials of any valid user, the following records will be displayed.

3

As you can see it displays records which the user should not have access to. This is because, as illustrated by the previous code, the Contact records are being fetched based upon the username specified for creating the organization proxy.

protected void Page_Load(object sender, EventArgs e)

{

  ClaimsPrincipal cp = ClaimsPrincipal.Current;

  string fullname = string.Format(“{0} {1}”,  cp.FindFirst(System.Security.Claims.ClaimTypes.GivenName).Value,

 cp.FindFirst(System.Security.Claims.ClaimTypes.Surname).Value);

 this.Label1.Text = this.Label1.Text + ” ” + fullname;

 Guid userid = FetchContextUserID(fullname);

 ImpersonatedFetchContacts(userid);

}

public Guid FetchContextUserID(string username)

{

           // Fetch userid based upon the username

}

public void ImpersonatedFetchContacts(Guid userid)

{

 ClientCredentials Credentials = new ClientCredentials();

 Credentials.UserName.UserName = “administrator2@crmazureintegration.onmicrosoft.com”;

Credentials.UserName.Password = “pass@word1”;

EntityCollection products = null;

using (OrganizationServiceProxy serviceProxy = new OrganizationServiceProxy(new      Uri(“https://crmazureintegration.api.crm.dynamics.com/XRMServices/2011/Organization.svc&#8221;), null, Credentials, null))

{

                serviceProxy.CallerId = userid;

 ——————

  1. As shown in the code we have set the callerid field while creating the organization service proxy object. This will result in fetching only the records that the logged in user has access to.

4