Cloud Identity Stories for Developers
Cloud Identity Solutions Quick Guide for Architects and Developers
Alik Levin
http://blogs.msdn.com/alikl
September 2011
Contents Introduction ................................................................................................................................. 3
ASP.NET Web Form Application With Federated Authentication ............................................... 4
ASP.NET MVC Web Application With Federated Authentication ............................................... 6
WCF (SOAP) Service With Federated Authentication ................................................................. 8
WCF (SOAP) Service With Federated Authentication, Identities In Active Directory ............... 10
WCF (REST) Service With Federated Authentication ................................................................ 11
WCF (REST) Service with Live ID, Facebook, Google, Yahoo!, Open ID ..................................... 14
Windows Phone 7 Application With Federated Authentication ............................................... 16
WPF Application With Live ID, Facebook, Google, Yahoo!, Open ID ......................................... 18
Introduction Cloud Identity solutions use the following three key ingredients:
Windows Identity Foundation (WIF)
Active Directory Federation Service (AD FS)
Windows Azure AppFabric Access Control Service (ACS)
This pocket guide includes catalogue of most common scenarios and solutions focused on
identity when developing cloud applications using Microsoft technologies and products.
Each scenario includes visual and description of the scenario followed by the visual and
description for solution approach. At the bottom of each scenario there is collection of
implementation references – How-To’s and Code Samples – that provide prescriptive recipe for
implementing the solution for a given scenario.
This doc includes only Application Architecture scnearios.
It is work in progress available here when you can find more scenarios such deployment,
authorization, delegation, and more:
http://social.technet.microsoft.com/wiki/contents/articles/cloud-identity-scenarios-and-
solutions-for-developers.aspx
Use bookmarks for easier navigation in this document.
Submit comments at http://blogs.msdn.com/alikl.
This work represents my personal view on the subject based on my personal research and is not
endorsed by my employer, Microsoft corp. For the purpose of full disclosure I am Programming
Writer for mentioned above technologies.
Enjoy.
Alik Levin
ASP.NET Web Form Application With Federated Authentication
Scenario
In this scenario you are developing ASP.NET Web Forms web application and you need to
implement authentication using either Internet identities such as Live ID, Google, Facebook,
Yahoo!, or OpenID 2.0 or enterprise identities managed by corporate Active Directory.
Web Application is developed using ASP.NET Web Forms.
Internet identities such as Live ID, Facebook, Google, Yahoo!, OpenID 2.0
Enterprise identities managed by corporate Active Directory (AD)
Solution Approach
Windows Azure AppFabrice Access Control Service (ACS) is used to solve this scenario.
ACS provides federation with Internet identities such as Live ID, Google, Facebook,
Yahoo!, OpenID 2.0
ACS provides federation with enterprise Active Directory (AD) via AD FS 2.0
WIF is used to parse and validate the incoming tokens at the application.
Analysis
In this solution end user tries to access the web application and the request being denied since
WIF identifies there is no token in it. WIF redirects to the configured ACS namespace. ACS
redirects the end user to the configured identity provider (IdP) where he submits his credentials.
Upon successful authentication IdP issues a token and the end user seamlessly redirected to ACS
where IdP's token is transformed into ACS token which is sent back to the end user. Then it is
redirected back to the web application where the ACS' token validated by WIF. All that occurs
seamlessly to the end user. For more details read Web Applications and ACS
How-To’s
How To: Create My First Claims-Aware ASP.NET Application Using ACS How To: Host Login Pages in Your ASP.NET Web Application How To: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using
WIF and ACS How To: Implement Role Based Access Control (RBAC) in a Claims-Aware ASP.NET
Application Using WIF and ACS How To: Configure Trust Between ACS and ASP.NET Web Applications Using X.509
Certificates
Code Samples
Code Sample: ASP.NET Simple Forms
Resources
Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing Web Applications with ACS
ASP.NET MVC Web Application With Federated Authentication
Scenario
In this scenario you are developing ASP.NET MVC web application and you need to implement
authentication using either Internet identities such as Live ID, Google, Facebook, Yahoo!, or
OpenID 2.0 or enterprise identities managed by corporate Active Directory.
Web Application is developed using ASP.NET MVC.
Internet identities such as Live ID, Facebook, Google, Yahoo!, OpenID 2.0
Enterprise identities managed by corporate Active Directory (AD)
Solution Approach
Windows Azure AppFabrice Access Control Service (ACS) is used to solve this scenario.
ACS provides federation with Internet identities such as Live ID, Google, Facebook,
Yahoo!, OpenID 2.0
ACS provides federation with enterprise Active Directory (AD) via AD FS 2.0
WIF is used to parse and validate the incoming tokens at the application.
Analysis
In this solution end user tries to access the web application and the request being denied since
WIF identifies there is no token in it. WIF redirects to the configrued ACS namespace. ACS
redirects the end user to the configured identity provider (IdP) where he submits his credentials.
Upon successful authentication IdP issues a token and the end user seamlessly redirected to ACS
where IdP's token is transformed into ACS token which is sent back to the end user. Then it is
redirected back to the web application where the ACS' token validated by WIF. All that occurs
seemlessly to the end user. For more detials read Web Applications and ACS.
How To’s
How To: Create My First Claims-Aware ASP.NET Application Using ACS How To: Host Login Pages in Your ASP.NET Web Application How To: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using
WIF and ACS How To: Implement Role Based Access Control (RBAC) in a Claims-Aware ASP.NET
Application Using WIF and ACS How To: Configure Trust Between ACS and ASP.NET Web Applications Using X.509
Certificates
Code Samples
Code Sample: ASP.NET MVC 3 Custom Login Page Code Sample: ASP.NET Simple MVC 2
Resources
Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing Web Applications with ACS
WCF (SOAP) Service With Federated Authentication
Scenario
In this scenario you have WCF service that exposes SOAP endpoint. It needs to authenticate
requests based on issued SAML tokens.
WCF Services exposes SOAP endpoint.
Authenticates requests based on issued tokens.
Tokens are of SAML format.
Credentials could be either UID/PWD pair or X.509 client certificates
Identities are not managed in corporate Active Directory (AD)
Solution Approach
Windows Azure AppFabrice Access Control Service (ACS) is used to solve this scenario.
ACS manages Service Identities (SI)
ACS manages SI's credentials - UID/PWD pair or/and X.509 client certificates.
WIF is used on the agent (WCF client) end to request the token from ACS and send it to
the WCF service.
WIF is used on the WCF service end to validate and parse the token issued by ACS
Analysis
In this solution an agent (WCF client) uses WIF to send request directly to ACS requesting a
SAML token based on the credentials which could be a UID/PWD pair or X.509 client certificate.
For more details on tokens read Token Formats Supported in ACS. ACS issues the SAML token
upon successful authentication based on the credentials. The agent sends the token to the WCF
service where it is validated and parsed using WIF. For more info read Web Services and ACS.
ACS manages WCF service identities and their credentials using Service Identities entities.
How-To’s
How To: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key How To: Authenticate with a Client Certificate to a WCF Service Protected by ACS How To: Authenticate with a Username and Password to a WCF Service Protected by
ACS
Code Samples
Code Sample: WCF Certificate Authentication Code Sample: WCF Username Authentication
Resources
Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing WCF Services with ACS
WCF (SOAP) Service With Federated Authentication, Identities In Active
Directory
Scenario
In this scenario you have WCF service that exposes SOAP endpoint. It needs to authenticate
requests based on issued SAML tokens. Identities and their credentials are managed in
corporate Active Directory (AD).
WCF Services exposes SOAP endpoint. Authenticates requests based on issued tokens. Tokens are of SAML format. Identities are in corporate Active Directory (AD)
Solution Approach
Windows Azure AppFabric Access Control Service (ACS ) and ADFS are used to solve this
scenario.
WCF Services exposes SOAP endpoint.
Authenticates requests based on issued tokens.
Tokens are of SAML format.
Identities are in corporate Active Directory (AD)
Analysis
In this solution an agent (WCF client) uses WIF to send request directly to ACS requesting a
SAML token based on the credentials which are managed in corporate Active Directory. The
identities are available through AD FS. Credentials type is controlled by AD FS which returns
valid SAML token upon successful authentication. For more details on tokens read Token
Formats Supported in ACS. ACS issues the SAML token upon successful validation of the SAML
token issued by AD FS. The agent sends the token to the WCF service where it is validated and
parsed using WIF. For more info read Web Services and ACS. ACS does not manage service
identities and their credentials using Service Identities entities.
How To’s
How To: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key How To: Configure AD FS 2.0 as an Identity Provider How To: Use Management Service to Configure AD FS 2.0 as an Enterprise Identity
Provider
Code Samples
Code Sample: WCF Federated Authentication With AD FS 2.0
Resources
Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing WCF Services with ACS AD FS 2.0 Step-by-Step and How To Guides Federated Web SSO Design Web SSO Design Provide Your Active Directory Users Access to Your Claims-Aware Applications and
Services Provide Your Active Directory Users Access to the Applications and Services of Other
Organizations Provide Users in Another Organization Access to Your Claims-Aware Applications and
Services
WCF (REST) Service With Federated Authentication
Scenario
In this scenario application consumes REST service that requires SWT token for authentication.
Review the diagram below that schematically depicts the scenario:
Service exposing REST endpoint. Service requires SWT token. Credentials can be either/or UID/PWD pair, credentials, symmetric key. Identities are not managed by corporate Active Directory (AD)
Solution Approach
ACS manages Service Identities (SI) ACS manages SI's credentials - UID/PWD pair or/and X.509 client certificates. WIF can be optionally used on the service side
Analysis
In this solution an agent (WCF client) send request directly to ACS requesting a SWT token based
on the credentials which could be a UID/PWD pair, X.509 client certificate, or symmetric key. For
more details on tokens read Token Formats Supported in ACS. ACS issues the SWT token upon
successful authentication based on the credentials. The agent sends the token to the WCF
service where it is validated and parsed. WIF is not used neither on client nor on the service
side. At the time of this writing WIF does not provide SWT token handler. For detailed step-by-
step procedure refer to How To: Authenticate to a REST WCF Service Deployed to Windows
Azure Using ACS. Alternatively WIF can be used to write custom SWT token handler to be
plugged into the WIF pipeline. Consult the following sample - Code Sample: Windows Phone 7
Application - for how to write SWT token handler that plugs into the WIF's pipeline. For more
info read Web Services and ACS. ACS manages WCF service identities and their credentials using
Service Identities entities.
How-To’s
How To: Configure Trust Between ACS and WCF Service Using Symmetric Keys How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS
Code Samples
Code Sample: ASP.NET Web Service Code Sample: Windows Phone 7 Application
Resources
Windows Azure AppFabric Access Control Service (ACS) Academy Videos Securing WCF Services with ACS
WCF (REST) Service with Live ID, Facebook, Google, Yahoo!, Open ID
Scenario
In this scenario you are developing a rich client application that consumes RESTful WCF service.
You need to integrate Internet Identity Providers (IdP's) such as Live ID, Facebook, Google,
Yahoo! and Open ID 2.0 identity providers for authentication purposes.
Rich client application with WCF (REST) service as its back end. Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!, Open ID 2.0
Solution Approach
Use Web Browser control and ACS used to solve this scenario.
Rich client application hosts Web Browser control that displayes IdP's and also perform actual sign in dance resulting in receiving SWT token from ACS upon successful authentication.
The SWT token handed to the rich client application from the hosted WebBrowser control.
The SWT token sent to the WCF (REST) service. The WCF (REST) service validates and parses the token.
Analysis
Internet Identity providers are optimized for web applications vs. web services. This is the
reason why WebBrowser control is used in this scenario to accomplish the redirects required for
sign in process.
How To's
How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS How To: Configure Google as an Identity Provider How To: Configure Facebook as an Identity Provider How To: Configure Yahoo! as an Identity Provider
Code Samples
Code Sample: Windows Phone 7 Application
Resources
Windows Phone 7 Application With Federated Authentication WPF Application With Federated Authentication, Identities Managed By Live ID,
Facebook, Google, Yahoo!, Open ID
Windows Phone 7 Application With Federated Authentication
Scenario
In this scenario you are developing a Windows Phone 7 (WP7) application that consumes
RESTful WCF service. You need to integrate Internet Identity Providers (IdP's) such as Live ID,
Facebook, Google, Yahoo! and Open ID 2.0 identity providers for authentication purposes.
WP7 application with WCF (REST) service as its back end. Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!, Open ID 2.0
Solution Approach
WP7's Web Browser control and ACS used to solve this scenario.
WP7 application hosts Web Browser control that displays IdP's and also perform actual sign in dance resulting in receiving SWT token from ACS upon successful authentication.
The SWT token handed to the WP7 application from the hosted WebBrowser control. The SWT token sent to the WCF (REST) service. The WCF (REST) service validates and parses the token.
Analysis
Internet Identity providers are optimized for web applications vs. web services. This is the
reason why WebBrowser control is used in this scenario to accomplish the redirects required for
sign in process.
How To's
How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS How To: Configure Google as an Identity Provider How To: Configure Facebook as an Identity Provider How To: Configure Yahoo! as an Identity Provider How To: Use Management Service to Configure an OpenID Identity Provider
Code Samples
Code Sample: Windows Phone 7 Application
Resources
WCF (REST) Service With Federated Authentication, Service Identities Managed By Live ID, Facebook, Google, Yahoo!, Open ID
WPF Application With Federated Authentication, Identities Managed By Live ID, Facebook, Google, Yahoo!, Open ID
WPF Application With Live ID, Facebook, Google, Yahoo!, Open ID
Scenario
In this scenario you are developing WPF application that consumes RESTful WCF service. You
need to integrate Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!
and Open ID 2.0 identity providers for authentication purposes.
WPF application with WCF (REST) service as its back end. Internet Identity Providers (IdP's) such as Live ID, Facebook, Google, Yahoo!, Open ID 2.0
Solution Approach
WPF application hosts WebBrowser control that displayes IdP's and also perform actual sign in dance resulting in receiving SWT token from ACS upon successful authentication.
The SWT token handed to the WPF application from the hosted WebBrowser control. The SWT token sent to the WCF (REST) service. The WCF (REST) service validates and parses the token.
Analysis
Internet Identity providers are optimized for web applications vs. web services. This is the
reason why WebBrowser control is used in this scenario to accomplish the redirects required for
sign in process.
How To's
How To: Display List Of Identity Providers (IdP’s) For Windows Azure AppFabric ACS Namespace In WPF Application
How To: Obtain SWT Security Token From Windows Azure AppFabric ACS In WPF Application Using WebBrowser Control
How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS
Code Samples
Code Sample: Windows Phone 7 Application
Resources
How To: Configure Google as an Identity Provider How To: Configure Facebook as an Identity Provider How To: Configure Yahoo! as an Identity Provider How To: Use Management Service to Configure an OpenID Identity Provider