How to setup eCommerce to authenticate with Facebook and Windows Live

Access Control Service has been retired so this article is obsolete

As was mentioned in Basics of building native client capable of C2 authentication with Retail Server Retail Server (which is leveraged by eCommerce) supports couple of authentication types for C2 scenarios - ACS and Open ID Connect. ACS should be used in case you want your customers to login with Facebook, Windows Live, Yahoo. If, by using LCS VM (starting AX7 CTP8), you will need to login into eCommerce with Facebook or Windows Live you should register your own client application (by using ACS) which will point to your own instance of eCommerce. This registration is needed because each client application setup with ACS should register valid callback URL which will vary based on your environment and therefore should be individually set up. ACS is a part of Windows Azure so you will need a subscription, if you don't have already you can have 1 month free trial: https://azure.microsoft.com/en-us/pricing/free-trial/

1. Login into https://manage.windowsazure.com and click Active Directory (close to the bottom) and then click on Access Control Namespaces and then Create a new namespace

2. In the menu popup select Access Control->Quick Create and then type in the prefix for the namespace (for this blog I will type in AcsBlog) and select the region which you think is the closest to you. Then click Create button and then wait until the operation completes.

3. Once the value in the column Status is Active click the button Manage on the bottom of the page, as a result you will be redirected to the Url you have created in previous step, for instance:

4. To enable Facebook login you should first have your Facebook application created on Facebook side, the details can be found here: https://developers.facebook.com/docs/apps/register

I would like to only explicitly mention about the following: don't forget to provide (in Settings->Advanced->Valid OAuth redirect URIs the value https://<PurYourNamespaceHere>.accesscontrol.windows.net/v2/facebook

so, for me that value is https://acsblog.accesscontrol.windows.net/v2/facebook

5. Back to your ACS site once you have the application created on Facebook side: click on Identity providers link then Facebook application radio button and then Next.

Provide the values for Application ID and Application secret corresponding to the application you registered with Facebook. Don't change anything in Application permissions area. Provide any text you want for the fields Display name and Login link text and then click Save button.

6. We have just registered Facebook Identity Provider with ACS, next step to register Relying Party. Click the link Relying party applications and then click Add. Setup the following parameters:

• Name - provide any name you want, for instance My Facebook
• Mode - keep default value "Enter settings manually"
• Realm - provide the url for your eCommerce site
• Return Url - provide the value you typed for the Realm field + the following: /SignIn/AcsRedirect
• Error Url - provide the same value you provided for Return Url field. 
• Token format: JWT
• Token lifetime (secs) - keep default value
• Identity Providers: mark Facebook and unmark Windows Live ID
• Rule groups: mark the checkbox "Create new rule group"
• Type: X.509 Certificate
• Token signing: Use service namespace certificate (standard)
• Click Save button.
• The page will show a link corresponding to just created Relying Party, click it and scroll to Rule groups section, you will see there a group, marked with a checkbox, with a name Default Rule Group for My Facebook. Click that label and then click Generate label it will display another screen with checkboxes, check the checkbox Facebook and then click Generate. And finally click Save button.

We have just completed setting everything we need on ACS side, now let's make some changes on eCommerce side.

7. Open eCommerce web.config and CTRL+F there for Facebook, update an attribute issuer by following these steps:

• Go to your ACS site and click there an Application Integration link
• Locate the Url (it points to a XML file) for the WS-Federation Metadata endpoint and open it in your browser
• In the XML opened locate the attribute entityID which belongs to the very first element EntityDescriptor
• Copy/paste the value of that attribute (which is a URL, in my case it is https://acsblog.accesscontrol.windows.net/) into the web.config's attribute issuer.

8. While on the same line in the web.config, update the value for the attribute redirectUrl with the URL you specified for the Return Url parameter in the step #6.

The last change to made is to register just created Identity Provider and the client application with AX.

9. Refer to the article Basics of building native client capable of C2 authentication with Retail Server on how to register an identity provider with AX. You will need to provide the following parameters while registering provider:

• Issuer - provide the value you located in the step #7
• Name - provide any name you want - it is currently used in this AX form only just as a friendly name of your provider
• Type - select AAD ACS there.

Keep the row corresponding to newly registered provider selected and then click Add button in the Relying Parties grid. Provide the following values for the client:

• ClientId - should have the same value as Return Url you provided in the step #6
• Type - select Confidential
• UserType - select Customer

10. Click the button Save and execute job 1110. Wait until it completes and then your website is ready to sign-in with your Facebook application.

To troubleshoot possible configuration issues look for Retail Server and/or eCommerce warnings/errors in the Event Viewer, the logs are located at Applications and Services Logs->Microsoft->Dynamics

eCommerce logs are in the Operational under Commerce-OnlineStore

RS logs are in the Operational under Commerce-RetailServer