An overview of ACS, ADFS, WIF


Notes from the TechNet Windows Azure AppFabric Access Control Service (ACS) Academy video series -
  • ACS or Access Control Service is a cloud service that abstracts authentication & lets you focus on app development rather than on plumbing
  • ACS is part of Windows Azure Platform - a service within AppFabric 
  • ACS offers federation with Internet identity providers (like Windows Live ID, Facebook, Yahoo, Google) & corporate identity providers (via ADFS v2.0) 
  • Federation means you can outsource authentication to industry mature identity management systems
  • ACS implements federation and trust for web apps using industry standards protocols.
  • ACS can use WS-Federation, WS-Trust, OpenID, OAuth 2.0, OAuth WRAP and SAML 1.1 and 2.0, SWT token formats
  • ACS works for Web and Web services architectures
  • The core functionality of Access Control Service (ACS) & Active Directory Federation Services or ADFS is STS or Security Token Service
  • Both Access Control Service (ACS) & Active Directory Federation Services (ADFS) can be used to implement SSO or single sign-on
  • ADFS is an on-premises STS & is part of the AD in Windows Server.
  • ADFS is both an on-premises Identity & Federation provider. ACS does not manage identities 
  • ADFS relies on Active Directory for identity management but it can federate with non-MS enterprise identity providers like Oracle Identity Federation, CA Federation Manager & more
  • ACS & ADFS integrate seamlessly
  • ACS can serve Private Cloud, PaaS Cloud (not just limited to Windows Azure Platform due to its implementation on open standards) and SaaS Cloud needs
  • ACS is not limited to consumption by Windows Azure deployed apps; any modern app platform hosted on PaaS cloud providers can consume ACS
  • ACS can serve cloud deployed apps, on-premises apps, mobile device apps
  • WIF or Windows Identity Foundation is a .NET runtime that runs as part of your web application or service.
  • WIF is available as a free download
  • ACS & WIF perform protocol & token heavy lifting so that you can focus on your authorization logic
  • ACS does heavy lifting for handling protocols like WS-Federation, WS-Trust, OpenID, OAuth 2.0, OAuth WRAP, Facebook Graph
  • ACS can issue normalized SAML & SWT tokens 
  • You can control authorization access via the ACS Rules Engine & WIF
  • WIF parses incoming tokens & exposes a convenient .NET API
  • WIF provides design time tooling via FedUtil wizard tool
  • WIF offers extensibility through configuration sections, custom toke handlers
  • Using Rules Engine, you can control what claims get into the token & which Identity providers can provide authorization
  • Windows Identity Foundation (WIF) offers Role-based access control (RBAC) & Claims-based authorization
  • 2 ways to Administer ACS - via Management Portal & Management Service
  • Management Portal - accessed through Windows Azure portal
  • Management Service is a service that exposes OData endpoint & offers additional functionality not available via Management Portal
  • ACS can be managed manually and programmatically
  • 4 Key components of ACS:
    • Security Token Service (STS) - it issues tokens for clients that they use to present to the application in order to be authenticated
    • Management Portal - UI for administering ACS
    • Management Service - API/endpoint that is used for management automation. Everything you can do with the Management Portal, you can automate via the Management Service
    • Token Transformation Rule Engine - allows configuration based token transformation 
Related: HOW TO implement Authentication & Authorization using OAuth 2.0 Providers with ASP.NET WebForms

Comments

Popular posts from this blog

Maven Crash Course - Learn Power Query, Power Pivot & DAX in 15 Minutes

"Data Prep & Exploratory Data Analysis" course by Maven Analytics

Oracle Cloud Infrastructure 2024 Generative AI Professional Course & Certification Exam (1Z0-1127-24)