Windows Azure AppFabric Access Control April release has been released to production and is now generally available at http://windows.azure.com.
The new version of the Access Control service represents a major step forward from the previous production version, introducing support for web application single sign-on (SSO) scenarios using WS-Federation, federation for SOAP and REST web services using WS-Trust and OAuth, and more. In addition, a new web-based management portal and OData-based management service are now available for configuring and managing the service.
Web Single Sign Scenarios
In web SSO scenarios, out of box support is available for Windows Live ID, Google, Yahoo, Facebook, and custom WS-Federation identity provider such as Active Directory Federation Services (AD FS) 2.0. To create the sign-in experience for these identity providers, the service now features a new JSON-based home realm discovery service that allows your web application to get your identity provider configuration from the service and display the correct sign in links.
Access Control automatically handles all protocol transitions between the different identity providers, including Open ID 2.0 for Google and Yahoo, Facebook Graph for Facebook, and WS-Federation for Windows Live ID and custom identity providers. The service then delivers a single SAML 1.1, SAML 2.0, or SWT token to your web application using the WS-Federation protocol once a user has completed the sign in process. The service works with Windows Identity Foundation (WIF), making it easy for your ASP.NET applications to consume SAML tokens issued from it.
For more information on web application scenarios and Access Control, see Web Applications and ACS in the MSDN documentation.
Web Service Scenarios
Access Control supports active federation with web services using the WS-Trust, OAuth WRAP, or OAuth 2.0 protocol.
To access a web service protected by Access Control, a web service client can obtain a bearer token from an identity provider (such as AD FS 2.0), and then exchange that token with the service for a new SAML 1.1, SAML 2.0, or SWT token required to access the protected web service. Alternatively, in the cases where no identity providers are available, the client can authenticate directly with Access Control using a service identity (a credential type configured in in the service) in order to obtain the required token. A service identity credential can be a password, an X.509 certificate, or a 256-bit symmetric signing key (used to validate the signature of a self-signed SWT token presented by the client).
For more information on web service scenarios and Access Control, see Web Services and ACS in the MSDN documentation.
Access Control features a web-based management portal, which makes it easy to configure core web application and web service scenarios for a selected namespace. This includes support for configuring and managing the following components:
- Identity providers
- Relying party applications, which represent your web applications and services
- Rules and rule groups, which define what information is passed from identity providers and clients to your applications
- Certificates and keys for token signing, encryption, and decryption
- Service identities for web service authentication
- Management credentials for accessing the portal and management service
The management portal can be launched by visiting the Service Bus, Access Control, and Caching section of the Windows Azure portal, clicking the Access Control node, selecting a service namespace, and then clicking Manage Access Control Service in the ribbon above.
In addition to the management portal, Access Control now features a redesigned management service that enables all service components to be managed using the OData protocol. For more information on the Access Control management service, see ACS Management Service in the MSDN documentation.
Be sure to check out the following resources for help getting started with Access Control:
- Detailed FAQs
- MSDN Documentation
- CodePlex Site (for code samples)
- Identity Training Kit
- Windows Azure Platform Security Forum
If you have not signed up for Windows Azure AppFabric and would like to start using Access Control, be sure to take advantage of our free trial offer. Just click on the image below and get started today!
The Windows Azure AppFabric Team.