How to configure ACS with Media Services key services

This blog shows you how to configure ACS with Azure Media Services AES/PlayReady license services with token authentication. The source code is listed here: https://github.com/AzureMediaServicesSamples/AES-Key-Delivery-with-ACS. Please download the source code in order to configure Key authorization policy.

1. Go to the Active Directory Tab in the Azure Management Portal 

2. Click on Access Control Namespaces in options at the top of the page and click “+ New” and select Access Control -> Quick Create to create a new ACS Namespace.

ACS_create_account

3. Enter the desired Namespace name and the Region. Copy the full url to the ACS Namespace value into the AcsEndpoint appSetting value in the App.config of the sample application. The value should look like https://yourname.accesscontrol.windows.net where “yourname” is replaced with the Namespace name you selected.

4. Once the new ACS Namespace is created, click Manage to go to the management portal for ACS.

5. Click on “Relying party applications” on the left menu. Then click add. You will need to fill in the following pieces of data:
a. Name: enter a name for the Relying party.
b. Realm: Enter a URI or a string. This will be the Scope or Audience parameter used with the token restriction. Copy this value into the AcsScope appSetting value in the App.config of the sample application.
c. Token Format: pick SWT from the drop down, we only support SWT (Simple Web Token) for now.
d. Token Signing key: click on Generate
Rely_application

6. Leave the rest of the fields at their default value and click Save to create the Relying Party Application.

7. Next click on “Rule groups” from the left menu. Then click the default rule group associated with the relying party application you just created. The name will start with “Default Rule Group for “ and end with the name you picked in 5a.

8. Click the Generate button above Rules.
Acs_edit_rules

9. Click Save to ensure that the token will have the nameidentifier claim in it. Otherwise you will get an error when trying to get a token from ACS about no output claims being generated.
aes_claim_edit
10.Next click on “Certificates and Keys” from the left menu. Then click the add link above the Token Signing area. You will need to fill in the following pieces of data:
a. Relying Party Application: make sure the name you used in 6a is selected.
b. Type -> Choose Symmetric Key from the Drop Down
c. Key -> Click the Generate button to generate a key. Copy this value into the AcsSigningKey appSetting value in the App.config of the sample application.

11.Leave the rest of the fields at their default values and click Save to create the symmetric token signing key.
acs_enter_token_key

12. Finally click on “Service Identities” from the left menu. Then click add. You will need to fill in the following pieces of data:
a. Name -> this is the AcsAccountName used to authenticate the user to the ACS service to get a token. Copy this value into AcsAccountName appSetting value in the App.config of the sample application.
b. Type -> from the drop down either pick Symmetric Key or password. If you pick password, fill in the Password field with a password. If you pick Symmetric Key, then click the Generate button to generate a password. Whichever is used, copy this value into AcsAccountKey appSetting value in the App.config of the sample application.

13.Click Save to store the new Service Identity. Note that this creates the credentials your test user users to authenticate to ACS with in order to get a token.
acs_edit_credential14, Run the program listed in the KDwithACS project. With all the settings you should see ACS gets set up with Key delivery services successfully.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.