As part of our patterns & practices Azure Security Guidance project, we’re putting together a series of Application Scenarios and Solutions. Our goal is to show the most common application scenarios on the Microsoft Azure platform. This is your chance to give us feedback on whether we have the right scenarios, and whether you agree with the baseline solution.
WCF Security Scenarios on Windows Azure
We’re taking a crawl, walk, run approach and starting with the basic scenarios first. This is our application scenario set for WCF:
ASP.NET to WCF on Azure
ASP.NET On-Site to WCF on Azure
ASP.NET with Claims Auth to WCF on Azure
ASP.NET to WCF on Azure
Scenario
Solution
Solution Summary Table
Area
Notes
Authentication
Host WCF service in dedicated deployment package.
Host ASP.NET application in separate deployment package.
Authenticate against service using server certificate.
Deliver service certificate during design/development of client ASP.NET application.
Authenticate application under single application identity.
Authorization
Authorize service access in ASP.NET logic.
Security
Use Transport security to secure communication.
Use X509 certificate for SSL encryption.
ASP.NET On-Site to WCF on Azure
Scenario
Solution
Area
Notes
Authentication
Application authenticated under application identity.
Service authenticated with server certification.
Service certificate delivered during design/development.
Use WCF username security to flow user credentials from client app.
Authorization
Authorize users in logic implemented at ASP.NET (trusted subsystem)
Security
Use message security to protect over the wire.
Encrypt messages with x509 server certificate.
Use x509 certificate to support SSL encryption.
ASP.NET with Claims to WCF on Azure
Scenario
Solution
Solution Summary Table
Area
Notes
Authentication
Establish trust relationship between application and STS.
Establish trust relationship between WCF service and STS.
Obtain access token from an Identity Provider (STS - Simple Token Service)
Obtain claims in access token app.
Authenticate in ASP.NET application using claims as credentials.
Connect to WCF using the original caller identity.
Obtain impersonation token (ActAs token) from STS.
Use impersonation token to access WCF service.
Authorization
Authorize in WCF service against claims provided in token.