As part of our patterns & practices Azure Security Guidance project, we’re putting together a series of Application Scenarios and Solutions. Our goal is to show the most common application scenarios on the Microsoft Azure platform. This is your chance to give us feedback on whether we have the right scenarios, and whether you agree with the baseline solution.
ASP.NET Security Scenarios on Windows Azure
We’re taking a crawl, walk, run approach and starting with the basic scenarios first. This is our application scenario set for ASP.NET:
ASP.NET Forms Auth to Azure Storage
ASP.NET Forms Auth to SQL Azure
ASP.NET to AD with Claims
ASP.NET to AD with Claims (Federation)
ASP.NET Forms Auth to Azure Storage
Scenario
Solution
Solution Summary Table
Area
Notes
Authentication
ASP.NET application authenticates users with Forms authentication.
ASP.NET accesses the membership store through the TableStorageMembershipProvider.
ASP.NET authenticates against Azure Storage using a shared key.
Authorization
ASP.NET accesses the Role store in Azure Storage through the TableStorageRoleProvider.
ASP.NET application performs role checks.
Communication
Protect credentials over the wire using SSL.
A shared key protects communication between ASP.NET and Azure Storage.
ASP.NET Forms Authentication to SQL Azure
Scenario
Solution
Solution Summary Table
Area
Notes
Authentication
Authenticate users with Forms Authentication.
Store users in SQL Azure.
ASP.NET connects to SQL Azure using a SQL user account.
Application identity is mapped to SQL account.
Authorization
Store roles in SQL Azure.
ASP.NET checks roles through the SqlRoleProvider.
Communication
Protect credentials over the wire with SSL.
ASP.NET connects to SQL Azure over port 1433
SQL authentication occurs over secure TDS.
SQL connections are configured to screen IP addresses to expected client app addresses.
ASP.NET to AD with Claims
Scenario
Solution
Solution Summary Table
Area
Notes
Authentication
Authenticate users against Active Directory.
Obtain user credentials as claims.
Use ADFS to provide claims.
Authenticate users in application using claims.
Use Windows Identity Foundation in ASP.NET app to manage SAML tokens.
Authorization
Authorize users against claims.
Authorize in application logic.
Store additional claims beyond what AD can provide in a local SQL server.
Communication
Claims are passed using WS-* protocols.
Protect claims over the wire using Security Assertion Markup Language (SAML)
Protect SAML tokens with SSL
ASP.NET to AD with Claims (Federation)
Scenario
Solution
Solution Summary Table
Area
Notes
Authentication
Authenticate client browser against Active Directory.
Obtain user credentials as claims.
Use Active Directory Federation Services (ADFS) to provide claims.
Authenticate users in application using claims.
Establish trust relationship between ASP.NET app and Azure hosted Secure Token Service (STS).
Establish trust relationship between ADFS and Azure STS.
Authorization
Authorize users against claims.
Authorize in application logic.
Store additional claims beyond what AD can provide in a local SQL server.
Communication
Claims are passed using WS-*protocols.
Protect claims over the wire using Security Assertion Markup Language (SAML).