Securing Windows Azure Distributed Application Using AppFabric Access Control Service (ACS) v2 – Scenario and Solution Approach

  • Article

Programming Windows Azure - Programming the Microsoft Cloud

This post is a continuation of How To: Configure Windows Azure Web Role ASP.NET Web application for Federation with Access Control Service (ACS) v2

Scenario

Consider the following canonical scenario for distributed applications deployed to Windows Azure:

 Windows Azure Application Scenario

Key characteristics:

  • End users access the the ASP.NET web app via browser.
  • ASP.NET web app is deployed to Windows Azure Web Role.
  • WCF Service is deployed to another Windows Azure Web Role.
  • ASP.NET web access the WCF service as a downstream service.

Challenges:

  • How to authenticate end users to ASP.NET web app?
  • How to implement authorization access checks at the ASP.NET web app?
  • How to authenticate web app’s calls to WCF service?
  • How to implement authorization access checks at the WCF service?
  • How to manage identities and their credentials outside the application?

Solution

Solution summary:

  • Use ACSv2 to implement federated authentication for end users – reusing existing authentication and identity management mechanisms
  • Use ACSv2 to manage identities for accessing WCF service
  • Use Windows Identity Foundation (WIF) to implement authorization access checks at ASP.NET web application
  • Use Windows Identity Foundation (WIF) to implement authorization access checks at WCF service

Authenticaiton and Authorization w/ACSv2 in Azure apps