Access control to Windows Azure services


I have had a number of questions recently regarding the provision of access to Windows Azure services via Academic Institutions or existing authentication services or methods.

In the context of the Windows Azure AppFabric Access Control Service (ACS), is an identity provider service that authenticates user or client identities and issues security tokens that can be consumed by ACS.

The ACS Management Portal provides built-in support for configuring the following identity providers:

In addition to these identity providers, ACS supports configuration of the following identity provider types programmatically through the ACS Management Service:

For many Universities the answer will be to use one of the following


WS-Trust identity providers pass identity claims to ACS using the WS-Trust protocol and are most frequently used in web service scenarios. Many WS-Trust identity providers also support WS-Federation and can be configured in ACS as WS-Federation identity providers to create the required trust relationship. An example of a WS-Trust identity provider is Active Directory Federation Services (AD FS) 2.0 (also a WS-Federation identity provider), which allows you to integrate your enterprise Active Directory service accounts with ACS. For more information, see How To: Configure AD FS 2.0 as an Identity Provider.

OpenID-Based Identity Providers

ACS supports federation with OpenID-based identity providers for web sites and web applications, using the OpenID 2.0 authentication protocol. The ACS OpenID implementation allows an OpenID authentication endpoint to be configured as part of an identity provider entity in ACS. When an ACS login page is rendered for a relying party application, ACS constructs an OpenID authentication request as part of the login URL for the identity provider. After a user selects the identity provider and logs in at the requested URL, the OpenID response is returned to the ACS where it is processed by the ACS rules engine. ACS retrieves OpenID user attributes using the OpenID Attribute Exchange Extension and maps these attributes to claims that are then output in the token response issued to the relying party application.

Two examples of OpenID-based identity providers that ACS supports are Google and Yahoo!, which can be configured in the ACS Management Portal. For more information, see Google and Yahoo!.

Other identity providers that support OpenID 2.0 authentication endpoints can be configured programmatically using the ACS Management Service. For more information, see How To: Use Management Service to Configure an OpenID Identity Provider.

Windows Identity Foundation Simplifies User Access for Developers

Enables .NET developers to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling interoperability.

Federated Authentication in a Windows Azure Web Role Application

Identity and the Windows Azure Platform Hands on labs resources

Comments (0)

Skip to main content