An overview of ACS, ADFS, WIF
Notes from the TechNet Windows Azure AppFabric Access Control Service (ACS) Academy video series -
- ACS or Access Control Service is a cloud service that abstracts authentication & lets you focus on app development rather than on plumbing
- ACS is part of Windows Azure Platform - a service within AppFabric
- ACS offers federation with Internet identity providers (like Windows Live ID, Facebook, Yahoo, Google) & corporate identity providers (via ADFS v2.0)
- Federation means you can outsource authentication to industry mature identity management systems
- ACS implements federation and trust for web apps using industry standards protocols.
- ACS can use WS-Federation, WS-Trust, OpenID, OAuth 2.0, OAuth WRAP and SAML 1.1 and 2.0, SWT token formats
- ACS works for Web and Web services architectures
- The core functionality of Access Control Service (ACS) & Active Directory Federation Services or ADFS is STS or Security Token Service
- Both Access Control Service (ACS) & Active Directory Federation Services (ADFS) can be used to implement SSO or single sign-on
- ADFS is an on-premises STS & is part of the AD in Windows Server.
- ADFS is both an on-premises Identity & Federation provider. ACS does not manage identities
- ADFS relies on Active Directory for identity management but it can federate with non-MS enterprise identity providers like Oracle Identity Federation, CA Federation Manager & more
- ACS & ADFS integrate seamlessly
- ACS can serve Private Cloud, PaaS Cloud (not just limited to Windows Azure Platform due to its implementation on open standards) and SaaS Cloud needs
- ACS is not limited to consumption by Windows Azure deployed apps; any modern app platform hosted on PaaS cloud providers can consume ACS
- ACS can serve cloud deployed apps, on-premises apps, mobile device apps
- WIF or Windows Identity Foundation is a .NET runtime that runs as part of your web application or service.
- WIF is available as a free download
- ACS & WIF perform protocol & token heavy lifting so that you can focus on your authorization logic
- ACS does heavy lifting for handling protocols like WS-Federation, WS-Trust, OpenID, OAuth 2.0, OAuth WRAP, Facebook Graph
- ACS can issue normalized SAML & SWT tokens
- You can control authorization access via the ACS Rules Engine & WIF
- WIF parses incoming tokens & exposes a convenient .NET API
- WIF provides design time tooling via FedUtil wizard tool
- WIF offers extensibility through configuration sections, custom toke handlers
- Using Rules Engine, you can control what claims get into the token & which Identity providers can provide authorization
- Windows Identity Foundation (WIF) offers Role-based access control (RBAC) & Claims-based authorization
- 2 ways to Administer ACS - via Management Portal & Management Service
- Management Portal - accessed through Windows Azure portal
- Management Service is a service that exposes OData endpoint & offers additional functionality not available via Management Portal
- ACS can be managed manually and programmatically
- 4 Key components of ACS:
- Security Token Service (STS) - it issues tokens for clients that they use to present to the application in order to be authenticated
- Management Portal - UI for administering ACS
- Management Service - API/endpoint that is used for management automation. Everything you can do with the Management Portal, you can automate via the Management Service
- Token Transformation Rule Engine - allows configuration based token transformation
Comments
Post a Comment