Cloud Identity Stories for Developers

Cloud Identity Solutions Quick Guide for Architects and Developers

Alik Levin

http://blogs.msdn.com/alikl

September 2011

Contents Introduction ................................................................................................................................. 3

ASP.NET Web Form Application With Federated Authentication ............................................... 4

ASP.NET MVC Web Application With Federated Authentication ............................................... 6

WCF (SOAP) Service With Federated Authentication ................................................................. 8

WCF (SOAP) Service With Federated Authentication, Identities In Active Directory ............... 10

WCF (REST) Service With Federated Authentication ................................................................ 11

WCF (REST) Service with Live ID, Facebook, Google, Yahoo!, Open ID ..................................... 14

Windows Phone 7 Application With Federated Authentication ............................................... 16

WPF Application With Live ID, Facebook, Google, Yahoo!, Open ID ......................................... 18

Introduction Cloud Identity solutions use the following three key ingredients:

Windows Identity Foundation (WIF)

Active Directory Federation Service (AD FS)

Windows Azure AppFabric Access Control Service (ACS)

This pocket guide includes catalogue of most common scenarios and solutions focused on

identity when developing cloud applications using Microsoft technologies and products.

Each scenario includes visual and description of the scenario followed by the visual and

description for solution approach. At the bottom of each scenario there is collection of

implementation references – How-To’s and Code Samples – that provide prescriptive recipe for

implementing the solution for a given scenario.

This doc includes only Application Architecture scnearios.

It is work in progress available here when you can find more scenarios such deployment,

authorization, delegation, and more:

http://social.technet.microsoft.com/wiki/contents/articles/cloud-identity-scenarios-and-

solutions-for-developers.aspx

Use bookmarks for easier navigation in this document.

Submit comments at http://blogs.msdn.com/alikl.

This work represents my personal view on the subject based on my personal research and is not

endorsed by my employer, Microsoft corp. For the purpose of full disclosure I am Programming

Writer for mentioned above technologies.

Enjoy.

Alik Levin

ASP.NET Web Form Application With Federated Authentication

Scenario

In this scenario you are developing ASP.NET Web Forms web application and you need to

implement authentication using either Internet identities such as Live ID, Google, Facebook,

Yahoo!, or OpenID 2.0 or enterprise identities managed by corporate Active Directory.

Web Application is developed using ASP.NET Web Forms.

Internet identities such as Live ID, Facebook, Google, Yahoo!, OpenID 2.0

Enterprise identities managed by corporate Active Directory (AD)

Solution Approach

Windows Azure AppFabrice Access Control Service (ACS) is used to solve this scenario.

ACS provides federation with Internet identities such as Live ID, Google, Facebook,

Yahoo!, OpenID 2.0

ACS provides federation with enterprise Active Directory (AD) via AD FS 2.0

WIF is used to parse and validate the incoming tokens at the application.

Analysis

In this solution end user tries to access the web application and the request being denied since

WIF identifies there is no token in it. WIF redirects to the configured ACS namespace. ACS

redirects the end user to the configured identity provider (IdP) where he submits his credentials.

Upon successful authentication IdP issues a token and the end user seamlessly redirected to ACS

where IdP's token is transformed into ACS token which is sent back to the end user. Then it is

redirected back to the web application where the ACS' token validated by WIF. All that occurs

seamlessly to the end user. For more details read Web Applications and ACS

How-To’s

How To: Create My First Claims-Aware ASP.NET Application Using ACS How To: Host Login Pages in Your ASP.NET Web Application How To: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using

WIF and ACS How To: Implement Role Based Access Control (RBAC) in a Claims-Aware ASP.NET

Application Using WIF and ACS How To: Configure Trust Between ACS and ASP.NET Web Applications Using X.509

Certificates

Code Samples

Code Sample: ASP.NET Simple Forms

Resources

Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing Web Applications with ACS

ASP.NET MVC Web Application With Federated Authentication

Scenario

In this scenario you are developing ASP.NET MVC web application and you need to implement

authentication using either Internet identities such as Live ID, Google, Facebook, Yahoo!, or

OpenID 2.0 or enterprise identities managed by corporate Active Directory.

Web Application is developed using ASP.NET MVC.

Internet identities such as Live ID, Facebook, Google, Yahoo!, OpenID 2.0

Enterprise identities managed by corporate Active Directory (AD)

Solution Approach

Windows Azure AppFabrice Access Control Service (ACS) is used to solve this scenario.

ACS provides federation with Internet identities such as Live ID, Google, Facebook,

Yahoo!, OpenID 2.0

ACS provides federation with enterprise Active Directory (AD) via AD FS 2.0

WIF is used to parse and validate the incoming tokens at the application.

Analysis

In this solution end user tries to access the web application and the request being denied since

WIF identifies there is no token in it. WIF redirects to the configrued ACS namespace. ACS

redirects the end user to the configured identity provider (IdP) where he submits his credentials.

Upon successful authentication IdP issues a token and the end user seamlessly redirected to ACS

where IdP's token is transformed into ACS token which is sent back to the end user. Then it is

redirected back to the web application where the ACS' token validated by WIF. All that occurs

seemlessly to the end user. For more detials read Web Applications and ACS.

How To’s

How To: Create My First Claims-Aware ASP.NET Application Using ACS How To: Host Login Pages in Your ASP.NET Web Application How To: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using

WIF and ACS How To: Implement Role Based Access Control (RBAC) in a Claims-Aware ASP.NET

Application Using WIF and ACS How To: Configure Trust Between ACS and ASP.NET Web Applications Using X.509

Certificates

Code Samples

Code Sample: ASP.NET MVC 3 Custom Login Page Code Sample: ASP.NET Simple MVC 2

Resources

Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing Web Applications with ACS

WCF (SOAP) Service With Federated Authentication

Scenario

In this scenario you have WCF service that exposes SOAP endpoint. It needs to authenticate

requests based on issued SAML tokens.

WCF Services exposes SOAP endpoint.

Authenticates requests based on issued tokens.

Tokens are of SAML format.

Credentials could be either UID/PWD pair or X.509 client certificates

Identities are not managed in corporate Active Directory (AD)

Solution Approach

Windows Azure AppFabrice Access Control Service (ACS) is used to solve this scenario.

ACS manages Service Identities (SI)

ACS manages SI's credentials - UID/PWD pair or/and X.509 client certificates.

WIF is used on the agent (WCF client) end to request the token from ACS and send it to

the WCF service.

WIF is used on the WCF service end to validate and parse the token issued by ACS

Analysis

In this solution an agent (WCF client) uses WIF to send request directly to ACS requesting a

SAML token based on the credentials which could be a UID/PWD pair or X.509 client certificate.

For more details on tokens read Token Formats Supported in ACS. ACS issues the SAML token

upon successful authentication based on the credentials. The agent sends the token to the WCF

service where it is validated and parsed using WIF. For more info read Web Services and ACS.

ACS manages WCF service identities and their credentials using Service Identities entities.

How-To’s

How To: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key How To: Authenticate with a Client Certificate to a WCF Service Protected by ACS How To: Authenticate with a Username and Password to a WCF Service Protected by

ACS

Code Samples

Code Sample: WCF Certificate Authentication Code Sample: WCF Username Authentication

Resources

Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing WCF Services with ACS

WCF (SOAP) Service With Federated Authentication, Identities In Active

Directory

Scenario

In this scenario you have WCF service that exposes SOAP endpoint. It needs to authenticate

requests based on issued SAML tokens. Identities and their credentials are managed in

corporate Active Directory (AD).

WCF Services exposes SOAP endpoint. Authenticates requests based on issued tokens. Tokens are of SAML format. Identities are in corporate Active Directory (AD)

Solution Approach

Windows Azure AppFabric Access Control Service (ACS ) and ADFS are used to solve this

scenario.

WCF Services exposes SOAP endpoint.

Authenticates requests based on issued tokens.

Tokens are of SAML format.

Identities are in corporate Active Directory (AD)

Analysis

In this solution an agent (WCF client) uses WIF to send request directly to ACS requesting a

SAML token based on the credentials which are managed in corporate Active Directory. The

identities are available through AD FS. Credentials type is controlled by AD FS which returns

valid SAML token upon successful authentication. For more details on tokens read Token

Formats Supported in ACS. ACS issues the SAML token upon successful validation of the SAML

token issued by AD FS. The agent sends the token to the WCF service where it is validated and

parsed using WIF. For more info read Web Services and ACS. ACS does not manage service

identities and their credentials using Service Identities entities.

How To’s

How To: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key How To: Configure AD FS 2.0 as an Identity Provider How To: Use Management Service to Configure AD FS 2.0 as an Enterprise Identity

Provider

Code Samples

Code Sample: WCF Federated Authentication With AD FS 2.0

Resources

Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing WCF Services with ACS AD FS 2.0 Step-by-Step and How To Guides Federated Web SSO Design Web SSO Design Provide Your Active Directory Users Access to Your Claims-Aware Applications and

Services Provide Your Active Directory Users Access to the Applications and Services of Other

Organizations Provide Users in Another Organization Access to Your Claims-Aware Applications and

Services

WCF (REST) Service With Federated Authentication

Scenario

In this scenario application consumes REST service that requires SWT token for authentication.

Review the diagram below that schematically depicts the scenario:

Service exposing REST endpoint. Service requires SWT token. Credentials can be either/or UID/PWD pair, credentials, symmetric key. Identities are not managed by corporate Active Directory (AD)

Solution Approach

ACS manages Service Identities (SI) ACS manages SI's credentials - UID/PWD pair or/and X.509 client certificates. WIF can be optionally used on the service side

Analysis

In this solution an agent (WCF client) send request directly to ACS requesting a SWT token based

on the credentials which could be a UID/PWD pair, X.509 client certificate, or symmetric key. For

more details on tokens read Token Formats Supported in ACS. ACS issues the SWT token upon

successful authentication based on the credentials. The agent sends the token to the WCF

service where it is validated and parsed. WIF is not used neither on client nor on the service

side. At the time of this writing WIF does not provide SWT token handler. For detailed step-by-

step procedure refer to How To: Authenticate to a REST WCF Service Deployed to Windows

Azure Using ACS. Alternatively WIF can be used to write custom SWT token handler to be

plugged into the WIF pipeline. Consult the following sample - Code Sample: Windows Phone 7

Application - for how to write SWT token handler that plugs into the WIF's pipeline. For more

info read Web Services and ACS. ACS manages WCF service identities and their credentials using

Service Identities entities.

How-To’s

How To: Configure Trust Between ACS and WCF Service Using Symmetric Keys How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS

Code Samples

Code Sample: ASP.NET Web Service Code Sample: Windows Phone 7 Application

Resources

Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing WCF Services with ACS

WCF (REST) Service with Live ID, Facebook, Google, Yahoo!, Open ID

Scenario

In this scenario you are developing a rich client application that consumes RESTful WCF service.

You need to integrate Internet Identity Providers (IdP's) such as Live ID, Facebook, Google,

Yahoo! and Open ID 2.0 identity providers for authentication purposes.

Rich client application with WCF (REST) service as its back end. Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!, Open ID 2.0

Solution Approach

Use Web Browser control and ACS used to solve this scenario.

Rich client application hosts Web Browser control that displayes IdP's and also perform actual sign in dance resulting in receiving SWT token from ACS upon successful authentication.

The SWT token handed to the rich client application from the hosted WebBrowser control.

The SWT token sent to the WCF (REST) service. The WCF (REST) service validates and parses the token.

Analysis

Internet Identity providers are optimized for web applications vs. web services. This is the

reason why WebBrowser control is used in this scenario to accomplish the redirects required for

sign in process.

How To's

How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS How To: Configure Google as an Identity Provider How To: Configure Facebook as an Identity Provider How To: Configure Yahoo! as an Identity Provider

Code Samples

Code Sample: Windows Phone 7 Application

Resources

Windows Phone 7 Application With Federated Authentication WPF Application With Federated Authentication, Identities Managed By Live ID,

Facebook, Google, Yahoo!, Open ID

Windows Phone 7 Application With Federated Authentication

Scenario

In this scenario you are developing a Windows Phone 7 (WP7) application that consumes

RESTful WCF service. You need to integrate Internet Identity Providers (IdP's) such as Live ID,

Facebook, Google, Yahoo! and Open ID 2.0 identity providers for authentication purposes.

WP7 application with WCF (REST) service as its back end. Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!, Open ID 2.0

Solution Approach

WP7's Web Browser control and ACS used to solve this scenario.

WP7 application hosts Web Browser control that displays IdP's and also perform actual sign in dance resulting in receiving SWT token from ACS upon successful authentication.

The SWT token handed to the WP7 application from the hosted WebBrowser control. The SWT token sent to the WCF (REST) service. The WCF (REST) service validates and parses the token.

Analysis

Internet Identity providers are optimized for web applications vs. web services. This is the

reason why WebBrowser control is used in this scenario to accomplish the redirects required for

sign in process.

How To's

How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS How To: Configure Google as an Identity Provider How To: Configure Facebook as an Identity Provider How To: Configure Yahoo! as an Identity Provider How To: Use Management Service to Configure an OpenID Identity Provider

Code Samples

Code Sample: Windows Phone 7 Application

Resources

WCF (REST) Service With Federated Authentication, Service Identities Managed By Live ID, Facebook, Google, Yahoo!, Open ID

WPF Application With Federated Authentication, Identities Managed By Live ID, Facebook, Google, Yahoo!, Open ID

WPF Application With Live ID, Facebook, Google, Yahoo!, Open ID

Scenario

In this scenario you are developing WPF application that consumes RESTful WCF service. You

need to integrate Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!

and Open ID 2.0 identity providers for authentication purposes.

WPF application with WCF (REST) service as its back end. Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!, Open ID 2.0

Solution Approach

WPF application hosts WebBrowser control that displayes IdP's and also perform actual sign in dance resulting in receiving SWT token from ACS upon successful authentication.

The SWT token handed to the WPF application from the hosted WebBrowser control. The SWT token sent to the WCF (REST) service. The WCF (REST) service validates and parses the token.

Analysis

Internet Identity providers are optimized for web applications vs. web services. This is the

reason why WebBrowser control is used in this scenario to accomplish the redirects required for

sign in process.

How To's

How To: Display List Of Identity Providers (IdP’s) For Windows Azure AppFabric ACS Namespace In WPF Application

How To: Obtain SWT Security Token From Windows Azure AppFabric ACS In WPF Application Using WebBrowser Control

How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS

Code Samples

Code Sample: Windows Phone 7 Application

Resources

How To: Configure Google as an Identity Provider How To: Configure Facebook as an Identity Provider How To: Configure Yahoo! as an Identity Provider How To: Use Management Service to Configure an OpenID Identity Provider