ASP.NET Security Scenarios on Azure

As part of our patterns & practices Azure Security Guidance project, we’re putting together a series of Application Scenarios and Solutions.  Our goal is to show the most common application scenarios on the Microsoft Azure platform.  This is your chance to give us feedback on whether we have the right scenarios, and whether you agree with the baseline solution.

ASP.NET Security Scenarios on Windows Azure
We’re taking a crawl, walk, run approach and starting with the basic scenarios first.  This is our application scenario set for ASP.NET:

  • ASP.NET Forms Auth to Azure Storage
  • ASP.NET Forms Auth to SQL Azure
  • ASP.NET to AD with Claims
  • ASP.NET to AD with Claims (Federation)

ASP.NET Forms Auth to Azure Storage

Scenario

image

Solution

image

Solution Summary Table

Area Notes
Authentication
  • ASP.NET application authenticates users with Forms authentication.
  • ASP.NET accesses the membership store through the TableStorageMembershipProvider.
  • ASP.NET authenticates against Azure Storage using a shared key.
Authorization
  • ASP.NET accesses the Role store in Azure Storage through the TableStorageRoleProvider.
  • ASP.NET application performs role checks.
Communication
  • Protect credentials over the wire using SSL.
  • A shared key protects communication between ASP.NET and Azure Storage.

ASP.NET Forms Authentication to SQL Azure

Scenario

image

Solution

image

Solution Summary Table

Area Notes
Authentication
  • Authenticate users with Forms Authentication.
  • Store users in SQL Azure.
  • ASP.NET connects to SQL Azure using a SQL user account.
  • Application identity is mapped to SQL account.
Authorization
  • Store roles in SQL Azure.
  • ASP.NET checks roles through the SqlRoleProvider.
Communication
  • Protect credentials over the wire with SSL.
  • ASP.NET connects to SQL Azure over port 1433
  • SQL authentication occurs over secure TDS.
  • SQL connections are configured to screen IP addresses to expected client app addresses.

ASP.NET to AD with Claims

Scenario

image

Solution

image

Solution Summary Table

Area Notes
Authentication
  • Authenticate users against Active Directory.
  • Obtain user credentials as claims.
  • Use ADFS to provide claims.
  • Authenticate users in application using claims.
  • Use Windows Identity Foundation in ASP.NET app to manage SAML tokens.
Authorization
  • Authorize users against claims.
  • Authorize in application logic.
  • Store additional claims beyond what AD can provide in a local SQL server.
Communication
  • Claims are passed using WS-* protocols.
  • Protect claims over the wire using Security Assertion Markup Language (SAML)
  • Protect SAML tokens with SSL

ASP.NET to AD with Claims (Federation)

Scenario

image

Solution

image

Solution Summary Table

Area Notes
Authentication
  • Authenticate client browser against Active Directory.
  • Obtain user credentials as claims.
  • Use Active Directory Federation Services (ADFS) to provide claims.
  • Authenticate users in application using claims.
  • Establish trust relationship between ASP.NET app and Azure hosted Secure Token Service (STS).
  • Establish trust relationship between ADFS and Azure STS.
Authorization
  • Authorize users against claims.
  • Authorize in application logic.
  • Store additional claims beyond what AD can provide in a local SQL server.
Communication
  • Claims are passed using WS-*protocols.
  • Protect claims over the wire using Security Assertion Markup Language (SAML).
  • Protect SAML tokens with SSL.