Windows Azure Platform Developer Center >
Azure Forums
>
AppFabric
>
What planning is required for incorporating ACS?
What planning is required for incorporating ACS?
I have a multi-tenant SaaS ASP.NET MVC app on Azure. It achieves multi-tenancy through my own custom code and authenticates with usernames and passwords. At the very least, I want to maintain username/password authentication, but in the future I'd like customers to have the capability to use their own infrastructure such as Geneva. I guess this is where ACS comes in.
What planning should I do now for ACS? Or, can I deploy as is and easily incorporate ACS later? I'm worried that simply using username /password authentication now without ACS would make things difficult for me down the road. Is that true?
Answers
- Hello, as announced at http://blogs.msdn.com/netservicesannounce/archive/2009/10/30/the-net-services-november-2009-ctp-breaking-changes-announcement-and-scheduled-maintenance.aspx, ACS no longer supports federation.
However, if you simply wants to authenticate the clients using their on-premise STS, you can. This is actually no difference from working with passive federation in an on-premise ASP.NET application. You configure Geneva Framework to accept tokens issued by the client's STS (such as Geneva Server). After you get the token, you can do whatever you want, such as allow/disallow an operation based on whether the token contains a specific claim or not. You can refer to the Identity Training Kit (http://www.microsoft.com/downloads/details.aspx?familyid=C3E315FA-94E2-4028-99CB-904369F177C0&displaylang=en) for some tutorials.
One thing to note is currently you cannot work with local certificate store in Windows Azure. That's why you should use the workaround described in http://code.msdn.microsoft.com/wifwazpassive to work with certificates. That is, you embed the encoded value of the certificate in web.config, and use Microsoft.IdentityModel.Plus.dll to help you access the certificate.
ACS, on the other hand, is used for authorization purpose (not authentication). Think of the RoleProvider in ASP.NET. You create several rules based on the user's role. Role is one kind of claim. ACS support more claims, such as role, action, age, etc. If you want to use ACS, I suggest you to wait for the next release, because there will be a lot of break changes.
Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer bybe789 Thursday, November 05, 2009 7:11 AM
All Replies
- Hello, as announced at http://blogs.msdn.com/netservicesannounce/archive/2009/10/30/the-net-services-november-2009-ctp-breaking-changes-announcement-and-scheduled-maintenance.aspx, ACS no longer supports federation.
However, if you simply wants to authenticate the clients using their on-premise STS, you can. This is actually no difference from working with passive federation in an on-premise ASP.NET application. You configure Geneva Framework to accept tokens issued by the client's STS (such as Geneva Server). After you get the token, you can do whatever you want, such as allow/disallow an operation based on whether the token contains a specific claim or not. You can refer to the Identity Training Kit (http://www.microsoft.com/downloads/details.aspx?familyid=C3E315FA-94E2-4028-99CB-904369F177C0&displaylang=en) for some tutorials.
One thing to note is currently you cannot work with local certificate store in Windows Azure. That's why you should use the workaround described in http://code.msdn.microsoft.com/wifwazpassive to work with certificates. That is, you embed the encoded value of the certificate in web.config, and use Microsoft.IdentityModel.Plus.dll to help you access the certificate.
ACS, on the other hand, is used for authorization purpose (not authentication). Think of the RoleProvider in ASP.NET. You create several rules based on the user's role. Role is one kind of claim. ACS support more claims, such as role, action, age, etc. If you want to use ACS, I suggest you to wait for the next release, because there will be a lot of break changes.
Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer bybe789 Thursday, November 05, 2009 7:11 AM
