How is communication secured between the portal, Service Provider Foundation, and other components?
Applies To: Windows Azure Pack
With different components (management portal for administrators, Service Management API, Service Provider Foundation, and VMM) involved in delivering the VM Clouds service, it is imperative that communication happens over secure channels between each component. The following illustration shows how a user is authenticated between the management portal for administrators, Service Management API, Service Provider Foundation, and VMM.
.jpeg "Security in VM Clouds")
A user, without claims, accesses the portal.
Portal redirects the user to the Secure Token Service (STS).
STS redirects the user to a login page
The user enters the credentials in the login page
The user is authenticated against the STS
In response, the STS issues a claim token to the user
The user uses the claims to access the portal
The portal passes on the claims to the Service Management API.
The user is then authenticated with Service Provider Foundation using basic authentication. The Service Management API addresses Service Provider Foundation through basic authentication as an admin, but passes tenant subscription and user ID information to Service Provider Foundation.
Service Provider Foundation validates requests using role metadata stored in the Service Provider Foundation database. Once it is verified that a requestor has access to the scope and specific objects in the request, Service Provider Foundation uses credentials for the underlying service application pool (provided during Service Provider Foundation installation) to perform management tasks on behalf of the requestor. This service application pool account must already be an administrator on the VMM server.