Export (0) Print
Expand All

Walkthrough: Configure Microsoft Azure ACS for integration with Microsoft Dynamics CRM 2013

Applies To: Microsoft Dynamics CRM 2013, Microsoft Dynamics CRM Online

This walkthrough guides you through configuring the Microsoft Azure Access Control Service (ACS) 2.0 issuer, scope, and rules to allow a listener application to read the Microsoft Dynamics CRM messages posted to the Microsoft Azure Service Bus. This walkthrough applies to integration with any deployment type of Microsoft Dynamics CRM.

TipTip
The Plug-in Registration tool provided in the SDK is the recommended way to automate the configuration of ACS for basic scenarios. Refer to the section named “Configure ACS” in the topic Walkthrough: Register an Azure-aware plug-in with the CRM plug-in registration tool for instructions on how to configure ACS using the tool. For more advanced scenarios, you’ll need to use the ACS Management Portal described later in this topic. Download the Microsoft Dynamics CRM SDK package.

As a prerequisite to this walkthrough, if you’re running Microsoft Dynamics CRM 2013 (on-premises or IFD), configure Microsoft Dynamics CRM 2013 for Microsoft Azure integration. For more information, see Walkthrough: Configure CRM for integration with Microsoft Azure. Microsoft Dynamics CRM Online is pre-configured for Microsoft Azure integration.

Create a new service namespace

If you have an existing ACS version 2 service namespace, continue with the next section named Create a Service Identity.

  1. Navigate to the Microsoft Azure site and click Portal. Sign into the portal site using your Microsoft Azure account.

  2. Select SERVICE BUS, and then click Create to create a service namespace.

  3. Provide the requested information to create the service namespace and click the check mark to save.

If you see a “-sb” suffix in the service, it refers to the service bus instance of ACS. If you are using Federated mode, remove the “-sb” from the service namespace value.

Create a service identity (issuer)

  1. If you haven’t already done so, navigate to the Microsoft Azure site and then sign in to the portal using your Microsoft Azure account.

  2. In the management portal, click Service Bus and then select your existing namespace in the list.

  3. Click Connection Information.

  4. At the bottom of the form, click Open ACS Management Portal.

  5. Under Service Settings, select Service identities, and then click Add. The next step defines an issuer name.

  6. On the Add Service Identity page, enter a name for the issuer identity. This must be the same issuer name that Microsoft Dynamics CRM is configured with. You can find this issuer name in the CRM web application by first selecting Settings, then selecting Customizations, and then clicking Developer Resources.

  7. Select a credential type of X.509 Certificate.

  8. Browse to the location of the certificate on your local box. Obtain the certificate by clicking the Download Certificate link on the Developer Resources page of the CRM web application.

  9. Click Save, and if another Save button is shown, click Save again.

If you’re working with Microsoft Dynamics CRM Online and see an indication that the certificate you obtained from that server is expired, you can ignore that warning.

Create a rule group and a rule

Create a rule for the target scope that will allow Microsoft Dynamics CRM to send or “post” to the Microsoft Azure Service Bus. You do this by configuring ACS to map the input “Organization” claim from Microsoft Dynamics CRM to the output “Send” claim of the Microsoft Azure Service Bus.

  1. Below Trust relationships, select Rule groups.

  2. Click Add.

  3. Enter a name for the rule group and select Save.

  1. On the Edit Rule Group page, click Add.

  2. In the If section of the page, select Access Control Service.

  3. For the input claim type, select Enter type and then enter http://schemas.microsoft.com/xrm/2011/Claims/Organization.

  4. For the input claim value, select Enter value, and then enter the name of a Microsoft Dynamics CRM organization.

    For an Internet-facing or on-premises deployment, enter the unique name of the desired organization in lowercase characters. You can find this name on the Developer Resources page of the CRM web application next to the Organization Unique Name label. To navigate to that page in the Web application, select Settings, select Customizations, and then click Developer Resources.

    For a Microsoft Dynamics CRM Online deployment, specify the complete hostname part of the Web service URL. For example, given a URL of https://myorg.crm.dynamics.com/main.aspx, the host name part is myorg.crm.dynamics.com.

  5. In the Then section, for the output claim type, click Select type and then select the http://docs.oasis-open.org/wsfed/authorization/200706/claims/action item from the drop-down list.

  6. For the output claim value, select Enter value, and enter a value of Send for the output claim.

  7. Add a description of the rule (optional). For example, you could type: “Allow the Contoso organization to send to the Microsoft Azure Service Bus.”

  8. Click Save.

Configure the scope

The following steps describe how to configure the Microsoft Azure Service Bus scope of ACS for a normal mode post by Microsoft Dynamics CRM. Defining a scope provides more restricted access to the service namespace.

  1. Below Trust relationships, select Relying party applications, and then click Add.

  2. On the Add Relying Party Application page, enter a display name for the relying party. For example, enter internal. This name is the scope name.

  3. Enter the realm URI of your Microsoft Azure service endpoint and append the scope name, for example, https://crmsdkdemo.servicebus.windows.net/internal.

  4. Enter the return URL, which can be the same value as the realm URI you just entered.

  5. Select a token format of SAML 2.0.

  6. You may optionally increase the token lifetime value.

  7. Make sure the Windows Live ID identity provider is selected.

  8. Select the name of the rule group you created previously. If the check box next to your rule appears ghosted, first clear the check box that is currently checked, and then select the check box for your rule.

  9. Click Save.

ImportantImportant
If you’re using federated mode, the process is similar to what is described in this walkthrough. You would add an issuer, and create a scope specific to the Uri (recommended) or a new base scope. You will need to configure both –sb and non–sb scopes. You may also need to create a token policy for the creating the issuer.

See Also

Microsoft Dynamics CRM 2013 and Microsoft Dynamics CRM Online
Send comments about this topic to Microsoft.
© 2014 Microsoft Corporation. All rights reserved.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft