Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Azure

Connecting in the cloud with AppFabric : Controlling access with ACS

3/18/2011 10:16:49 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
Managing identity, authentication, and authorization is hard. It takes a lot of work by developers to get it right. One wrong step and you leave a gaping hole that a bad guy can take advantage of and land your company on the front page of the newspaper. Security is always a high priority on any project, but it’s loaded with special terms and more complexity than developers generally want to deal with.

We’re going to cover how you can integrate the user’s identity inside your company with applications running in the cloud. We’ll do this by leveraging claims-based authorization, which allows you to federate your internal identities with applications in the cloud by using standards-based tokens.

1. Identity in the cloud

When you move all of these concerns out of your own network and into the cloud, these concerns become even bigger issues. The application is no longer sitting right next to the source of authentication; the identity boundaries have been broken. How do you fix this problem?

The short answer is to build yet another identity store (a place to store usernames and passwords) and give every user yet another username and password to remember. They won’t remember them—they’ll either write it down on a sticky note on their monitor, or they’ll call you once a month to remind them what it is. This is a bad experience for the user, and it’s dangerous for the owner of the application.

We call this the identity fishbowl. Your identity (who you are and what you can do) is fairly easily maintained on your network, but the second you go off-premises you leave your fishbowl. The application in the cloud doesn’t have any way to connect to your Active Directory to authenticate you. The way to bridge these worlds is with open standards and the concept of a federated identity.

There are some other challenges, as well. Let’s go beyond the previous scenario where you have an internal user trying to access your application in the cloud. What if the user doesn’t work for you, but is a customer or vendor of some sort. What if you need to provision 100 user accounts for that new customer, or 10,000 accounts? This is a lot of work for the administrator, it gives your end user yet another identity to remember, and it exposes you to a risk of not deleting an account when it should be. You’re on the hook for managing those accounts, not the customer or vendor. If you have user accounts in your identity store that are active and belong to someone who has left the company, you’re leaving a wide open hole for them (or an outside evil-doer) to compromise that account and access your application when they shouldn’t.

What you want is an easy and secure way for your internal users and external users (customers, vendors, and so on) to be able to access your application using the identities they already have. This approach also has to have low impact on the service code. You don’t want to have to fix the code every time you enroll a new customer, or find a new protocol to support. You want to write applications, not become enterprise security ninjas. Well, most of us do anyway.

ACS handles all of these concerns for us in a brilliantly elegant way. Before we can really talk about ACS, though, we need a common understanding of some of the core concepts ACS is built on.

2. Working with actors

The security field is loaded with special vocabulary and concepts that scare most developers. Even knowing the importance of security, many developers just find some sample code and paste it in. They either don’t have the understanding needed to work with the code, or they won’t change it for fear of making a mistake.

There are several actors in this security play that we need to define. The most important is your service or application—the resource you’re trying to protect. It’s commonly called the protected resource or the relying party because it’s relying on the security infrastructure.

The next actor is also easily defined: the client. This is the application that’s trying to access the relying party. Clients are also sometimes called issuers. This side can get a little complicated when you have a second client that’s being delegated through the first client to the protected resource.

Finally we have the ACS service itself. In security lingo, ACS is called the authorization server or trusted authority. It provides the security infrastructure the client must use to authenticate and use the protected resource.

In our play, the authorization server is the director, the protected resource is the lead actor, and the client is the supporting actor.

3. Tokens communicate authorization

Our three actors need some way to communicate, and they do this by passing tokens around. There are many formats for tokens, and there are many ways to pass them around. The messages they pass around usually include a set of claims, which we’ll get to in a moment.

You likely use a token every day—your driver’s license. You can use it to prove your identity or to prove a claim. A bar might demand you satisfy (prove) your claim that you’re over 21. You never have to give them your birth certificate; you just give them your driver’s license. You proved who you were, and when you were born, when you applied for your license. The Department of Motor Vehicles validated your credentials and provided you with a token that proves your claim of age on the license. The department is the trusted source, the bar with the beer is the protected resource, and your license is the token. You’re the client.

The following figure shows this relationship between you, the bar, and the Department of Motor Vehicles. You first authenticate to the DMV. Once they’re satisfied, they give you a secure token that provides data for some claims. You can then use this token to get a frosty beverage at any bar, even if not everybody knows your name. You can see this relationship in figure 1.

Some token formats are proprietary and some are an open standard. Microsoft has worked with Google and Yahoo! to develop a new, simple open standard that can be used across the cloud and the web. This standard is called OAuth, short for open authorization. There are other open standards that are popular, such as SAML (Security Assertion Markup Language), but they tend to be more complex and geared for SOAP instead of REST. OAuth’s goal is to provide a simple token and protocol that makes it easy to secure REST-based services.


You can read the OAuth specification at http://groups.google.com/group/oauth-wrap-wg.

ACS is based on OAuth, but it knows how to read other types of tokens as well. There are two halves to OAuth. The first is the Web Resource Authorization Protocol (WRAP). This is the protocol used to make authorization requests and to move requests and tokens around on the wire. The other half of OAuth is the Simple Web Token (SWT), which defines the token itself. SWT tokens are simple to read and understand. The goal in designing OAuth and SWT was to build protocols that any platform could leverage to secure REST-based services.

Figure 1. A bar doesn’t require that you prove your birth date; instead you provide them with a valid and secure token from a trusted authority. You had to prove your birth date to the authority , and they gave you a token . You then use that token to get into the bar .

All tokens coming from ACS will be SWT tokens. Here’s a sample token:

Notice that this token is URL-encoded. Later on we’ll look at code that will let us shred this token and understand the separate parts. If you’ve ever seen a SAML token, this is far simpler and easier to work with. There isn’t even any XML!

The OAuth working group’s website includes the specification for these protocols and formats. They’re surprisingly easy to read, but they do lack an interesting plot. They’re much easier to read than the WS-* and SAML/STS specifications, if that means anything. You can read them all in about 30 minutes.

4. Making claims about who you are

With all these tokens flying around, we need something to put in them. Although there are other pieces of data stored in tokens, the real reason tokens exist is to deliver what is called “a set of claims.”

A claim set is a list of claims made about the client or user by the authorization server. What a claim represents is completely open and can be defined by the systems using it. The claim must serialize to plain text—there isn’t any fancy XML in OAuth, just a name-value collection of claims. A claim set might include a user’s name, their birth date, their customer level, a list of roles or groups they belong to, or anything else your service (the protected resource) needs.

Your service will use these claims to make security and behavior decisions. The first decision is whether the user is allowed to access your service. Then, once you have let them in, you can use the claims to determine what they can do. If their role claim includes manager, you might let them apply discounts to existing orders. If the role claim is staff, maybe they can only create normal orders. What you ask for in claims and what you do with them once you get them is up to you.

This use of claims moves us away from the traditional role-based access control (RBAC) and toward claims-based access control (CBAC). The concepts are the same; the difference is in how we get the data regarding the user’s identity and how we make decisions based on that data.

As you implement ACS, it’s possible to add the use of SWT tokens to your system without ripping out the old way of managing identity. This is useful if you’re trying to transition to the new platform without breaking what already exists.

Other -----------------
- Joining dynamic and infrequently changing data together
- Enterprise Service Bus with BizTalk Server and Windows Azure : Mapping the Microsoft Platform to the Enterprise Service Bus Pattern
- Enterprise Service Bus with BizTalk Server and Windows Azure : Governance Considerations
- Enterprise Service Bus with BizTalk Server and Windows Azure : Cloud-Enabling the ESB with Windows Azure
- Working with the Table service REST API : Querying data (part 3) - Filtering data with LINQ & Selecting data using the LINQ syntax
- Working with the Table service REST API : Querying data (part 2) - Querying with LINQ & Filtering data with the REST API
- Working with the Table service REST API : Querying data (part 1) - Retrieving all entities in a table using the REST API
- Working with the Table service REST API - Batching data
- Modifying entities with the REST API is CRUD (part 3) - Updating entities
- Modifying entities with the REST API is CRUD (part 2) - Deleting entities
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Windows Vista
Windows 7
Windows Azure
Windows Server