J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

WCF Security Scenarios on Azure

WCF Security Scenarios on Azure

  • Comments 2

As part of our patterns & practices Azure Security Guidance project, we’re putting together a series of Application Scenarios and Solutions.  Our goal is to show the most common application scenarios on the Microsoft Azure platform.  This is your chance to give us feedback on whether we have the right scenarios, and whether you agree with the baseline solution.

WCF Security Scenarios on Windows Azure
We’re taking a crawl, walk, run approach and starting with the basic scenarios first.  This is our application scenario set for WCF:

  • ASP.NET to WCF on Azure
  • ASP.NET On-Site to WCF on Azure
  • ASP.NET with Claims Auth to WCF on Azure

ASP.NET to WCF on Azure

Scenario

image

Solution

image

Solution Summary Table

Area Notes
Authentication
  • Host WCF service in dedicated deployment package.
  • Host ASP.NET application in separate deployment package.
  • Authenticate against service using server certificate.
  • Deliver service certificate during design/development of client ASP.NET application.
  • Authenticate application under single application identity.
Authorization
  • Authorize service access in ASP.NET logic.
Security
  • Use Transport security to secure communication.
  • Use X509 certificate for SSL encryption.

ASP.NET On-Site to WCF on Azure

Scenario

image

Solution

image

Area Notes
Authentication
  • Application authenticated under application identity.
  • Service authenticated with server certification.
  • Service certificate delivered during design/development.
  • Use WCF username security to flow user credentials from client app.
Authorization
  • Authorize users in logic implemented at ASP.NET (trusted subsystem)
Security
  • Use message security to protect over the wire.
  • Encrypt messages with x509 server certificate.
  • Use x509 certificate to support SSL encryption.

ASP.NET with Claims to WCF on Azure

Scenario

image

Solution

image

Solution Summary Table

Area Notes
Authentication
  • Establish trust relationship between application and STS.
  • Establish trust relationship between WCF service and STS.
  • Obtain access token from an Identity Provider (STS - Simple Token Service)
  • Obtain claims in access token app.
  • Authenticate in ASP.NET application using claims as credentials.
  • Connect to WCF using the original caller identity.
  • Obtain impersonation token (ActAs token) from STS.
  • Use impersonation token to access WCF service.
Authorization
  • Authorize in WCF service against claims provided in token.
Communication
  • Use HTTP for application to STS communication.
  • Use HTTP for application to WCF communication.
  • Use HTTP for WCF to STS communication.

My Related Posts

  • I'm interested in the first option and in particular working with certificates in Azure. I've previously been scared of the added complexity of certificates.

    Tell me, provided I sort myself out with a cert from a CA, is this ready to roll today (MVC app <-> WCF)?

  • @ Luke -- I get what you mean about added complexity.    Is there a way you can test your scenario quickly?  (I'm always a fan of testing since context is what counts)

Page 1 of 1 (2 items)