Identity & Access in the Cloud

For building applications that leverage the Windows Azure Platform one needs to put some thought on how one would manage Identity and Access especially in scenarios were the application needs to leverage on-premise resources as well as Cloud Services for enterprise and inter-enterprise collaboration. Three key technologies that can ease this task are:

1.      Windows Azure AppFabric Access Control Service

2.      Active Directory Federation Services 2.0

3.      Windows Identity Foundation

The Windows Azure AppFabric Access Control Service helps build federated authorization into your applications and services, without the complicated programming that is normally required to secure applications that extend beyond organizational boundaries. With its support for a simple declarative model of rules and claims, Access Control rules can easily and flexibly be configured to cover a variety of security needs and different identity-management infrastructures. It acts as a Security Token Service in the cloud.

Active Directory Federation Services 2.0 is a server role in Windows Server that provides simplified access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web. AD FS 2.0 helps IT streamline user access with native single sign-on across organizational boundaries and in the cloud, easily connect applications by utilizing industry standard protocols and provide consistent security to users with a single user access model externalized from applications.

Windows® Identity Foundation (WIF) is a framework for building identity-aware applications. The framework abstracts the WS-Trust and WS-Federation protocols and presents developers with APIs for building security token services and claims-aware applications. Applications can use WIF to process tokens issued from security token services and make identity-based decisions at the web application or web service.


All application scenarios that involve AppFabric Access Control consist of three service components:

·       Service provider: The REST Web service.

·       Service consumer: The client application that accesses the Web service.

·       Token issuer: The AppFabric Access Control service itself.

For this release, AppFabric Access Control focuses on authorization for REST Web services and the AppFabric Service Bus. The following is a summary of AppFabric Access Control features:

·       Cross-platform support. AppFabric Access Control can be accessed from applications that run on almost any operating system or platform that can perform HTTPS operations.

·       Active Directory Federation Services (ADFS) version 2.0 integration. This includes the ability to parse and publish WS-Federation metadata.

·       Lightweight authentication and authorization using symmetric keys and HMACSHA256 signatures.

·       Configurable rules that enable mapping input claims to output claims.

·       Web Resource Authorization Protocol (WRAP) and Simple Web Token (SWT) support.

Acm.exe Tool

The Windows Azure AppFabric Access Control Management Tool (Acm.exe) is a command-line tool you can use to perform management operations (CREATE, UPDATE, GET, GET ALL, and DELETE) on the AppFabric Access Control entities (scopes, issuers, token policies, and rules).


View:     What is Access Control Service?, 

Access Control Service & ADFS v2 Integration

Downloads & References

·       Windows Azure AppFabric SDK September Release is now available here for download (both 32-bit and 64-bit versions).

·       AppFabric LABS is an environment which the AppFabric team is using to showcase early bits and get feedback from the community. Usage for this environment will not be billed.

·       Datasheet for Customers