Cloud Computing @ Microsoft France

Le système d'informationset les nuages

PDC2008 - .Net Services – Access Control Service Drilldown

PDC2008 - .Net Services – Access Control Service Drilldown

  • Comments 1

Justin Smith talks, he is the program manager for this offer.

This offering is part of the Identity Software + Services initiatives which encompasses a large number of offerings at Microsoft : Microsoft Services Connector, Geneva Server, Geneva framework, Microsoft Federation Gateway, Live Identity Services, .Net Access Control Service.

Agenda : Motivation, .Net Access Control Service Guided Tour, Request and process tokens, Architecture, Futures.


What are the first 2 questions you should consider when developing an application ? Who is the caller ? What can they do ? There is a wide offering to do it on premise , but how to do it on clouds ?

A description of the common interaction pattern that is used inside Microsoft offerings around claim processing between a requestor, an STS and a requestor (see Web presentation schema)

  1. Certificate Exchange, periodically refreshed between Your App and the STS
  2. Define Access Control rules for a customer

A scope is a container for access control roles with preferences. A user account contains multiples scopes. A scope is name by an URL. In the November 2008 CTP, there will be quotas coming. A rule exists in only one scope.

Where is it currently used ? SQL Data Services (accepts username & password and a token produced by Access Control Service), .Net Service Bus, .Net Workflow Service, The portals, More to come…

Basic anatomy of the Access Control Service

  • The portal is a Web UI to configure access control rules
  • A client API to manage programmatically the rules
  • The service (STS) issues claims, it is a claims transformer. Developers interact with the service via the Geneva framework. It is also possibility to work natively with a WS-Trust 1.3 stack such as WCF or Metro. The SDK also have types to manage tokens.

Demo : accessible through a Live ID. From there you access the services, and go to the Access Control.

Request and Process Tokens

.Net Access Control Service is not an identity provider. Today, the username is the claim mapper is stored on the .Net Access Control, this is temporary to ease to access for developers. In a future version, we will use be default the Windows Live ID for identity provider.

In advanced mode, you can add Identity Issuers, PErmissions, Encryption, Claim Types and Expiration.

Passive federation is supported. Intended for any HTTP redirect aware client (browsers).

The Access Control Service can federate with Live Identity Service (LiveFederation.aspx) and Geneva Server (Federation.aspx) today. More third party WS-Federation support to come.

Active Mode examples are in the .Net Services SDK. 3 endpoints Username, CardSpace…

The Access Control Service is built on top of the Geneva Framework.


Q : Is it possible to connect SQL Data Service through the .Net Access Control Service ? Yes, this is part of the current CTP.