Access Control in the Cloud: Windows Azure AppFabric's ACS

There is a new solution in town for authenticating Representational State Transfer (REST)–based web resources—and it's called the Access Control Service (ACS). Part of the Windows Azure platform AppFabric offering, the ACS makes it possible to achieve authentication and authorization scenarios not previously possible for web resources, including a standards-based way to authenticate from Windows, AJAX, or Silverlight clients and federation scenarios with business partners. This article will be the first of a short series on the ACS. Here I'll introduce the ACS and provide an overview of some fundamental features and implementation scenarios. In subsequent articles I will dive in further.

What Is the ACS?
Simply put, the ACS is a standards-based token issuer in the cloud: a hosted, multi-tenant offering available to every AppFabric account. Once you've signed up for a Windows Azure Platform account, you can begin configuring your applications to rely on the ACS to easily authorize access for trusted applications, users, and partners. Figure 1 illustrates a very high-level perspective on the flow of communication among participants. The client application (Service Consumer) requests a token from the ACS—supplying either a symmetric key or Security Assertion Markup Language (SAML) token. The ACS (Token Issuer) verifies that the request came from a trusted caller; evaluates rules associated with the scope of the request; and issues a security token carrying the claims granted the caller. The web resource (Service Provider) verifies that the security token was issued by a trusted token issuer (the ACS account) and uses the issued claims to authorize access accordingly.

There are a lot of useful scenarios enabled with this simple flow including

• a simple and interoperable security model that works with any platform at the service consumer or service provider.
• federated security scenarios for REST-based resources.
• flexible, rules-driven, and claims-based authorization.
• the ability to extend applications to users or business partners in other trusted domains, without impact to the service provider.
• a demilitarized zone (DMZ) in the cloud—the ACS becomes the first stop for scalable Denial of Service (DoS) attack prevention.

Access Control Setup
From the AppFabric management portal you will create one or more service namespaces for your AppFabric account. Each service namespace usually coincides with a particular set of applications for which you want to host services with the Service Bus (SB) or protect resources with the ACS. For example, Figure 2 shows the management, SB, and ACS details for one of my AppFabric service namespaces, BustaCloudDemos.

To configure your ACS instance, you will likely use the ACS Management Browser (see Figures 4 through 7, to be discussed later). You supply the service namespace and the management key (from Figure 2), and the tool communicates with the ACS management endpoint on your behalf. To request tokens, you hit the ACS STS endpoint (also from Figure 2)—passing a properly formatted request for an ACS token and supplying a valid token that the ACS can use to authenticate this request. I'll talk more about this process later.

Note: The ACS management endpoint is a REST-based service that you can interact with directly, and there is also a code sample with the AppFabric SDK that includes a simple API to call the management endpoint (acm.exe). Obviously it is easier to work with the management browser when you are first trying it out.

Resource Model
Figure 3 illustrates the ACS resource model configured through the management endpoint. First and foremost you can see that there is a management key (shown blacked out in Figure 2) for each service namespace; you use this to request a key to authenticate to the management endpoint. When you set out to configure your ACS instance, you're usually thinking in terms of your application resources (scopes) and your clients (users, applications, or partners that you want to grant access to).

Related Content:

• JetBrains Releases New Version of dotTrace Performance
• Product Review: DevExpress WinForms
• How to Build a 'Folder Watcher' Service in C#
• Text Control Releases TX Text Control 17.0 and TX Spell .NET 2.0
• Telerik Q3 2011 Release Enhances 14 .NET Developer Products