WCF (SOAP) Service With Federated Authentication, Identities In Active Directory
Back to [[Windows Azure Active Directory Solutions For Developers]]
Scenario
In this scenario you have WCF service that exposes SOAP endpoint. It needs to authenticate requests based on issued SAML tokens. Identities and their credentaitlas are managed in corporate Active Directory (AD).
- WCF Services exposes SOAP endpoint.
- Authenticates requests based on issued tokens.
- Tokens are of SAML format.
- Identities are in corporate Active Directory (AD)
Solution Approach
Windows Azure AppFabrice Access Control Service (ACS) and ADFS are used to solve this scenario.
- ACS does not manages Service Identities (SI) and its credentials
- Authentication is accomplished via ADFS
- WIF is used on the agent (WCF client) end to request the token from ACS and send it to the WCF service.
- WIF is used on the WCF service end to validate and parse the token issued by ACS
Analysis
In this solution an agent (WCF client) uses WIF to send request directly to ACS requesting a SAML token based on the credentials which which are managed in corporate Active Directory. The identities are available through AD FS. Credentials type is controlled by AD FS which returns valid SAML token upon successful authentication. For more details on tokens read Token Formats Supported in ACS. ACS issues the SAML token upon successful validation of the SAML token issued by AD FS. The agent sends the token to the WCF service where it is validated and parsed using WIF. For more info read Web Services and ACS. ACS does not manage service identities and their credentials using Service Identities entities.
How-To's
- How To: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key
- How To: Configure AD FS 2.0 as an Identity Provider
- How To: Use Management Service to Configure AD FS 2.0 as an Enterprise Identity Provider
Code Samples
Resources
- Windows Azure AppFabric Access Control Service (ACS) Academy Videos
- Securing WCF Services with ACS
- AD FS 2.0 Step-by-Step and How To Guides
- Federated Web SSO Design
- Web SSO Design
- Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services
- Provide Your Active Directory Users Access to the Applications and Services of Other Organizations
- Provide Users in Another Organization Access to Your Claims-Aware Applications and Services