2

How can I secure a WCF service using Azure Active Directory:

My Status: - My WCF service that contains the business logic is hosted on Azure WebRole.

I want your help to do the following:

  • Configure my WCF Service in Azure to federate the authentication process to Azure Active directory.
  • Configure my WCF Client to get Tokens from Azure Active directory by providing his [username/password].
  • Configure my WCF Service to verify the client's tokens.

My environment constraints:

  • WCF 4.5 .
  • WIF 4.5 .
  • Visual Studio 2012 .
  • It's a Proof of concept and I have to use Self Signed Certificates.
Mahmoud Samy
  • 2,822
  • 7
  • 34
  • 78
  • Welcome to StackOverflow. Please do not duplicate questions. http://stackoverflow.com/questions/15744763/securing-wcf-4-5-service-using-azure-acs-2-0/15745564#15745564. Or consider marking generic one for delete. – Aleksei Anufriev Apr 01 '13 at 14:44

1 Answers1

1

Alexey's answer should get you started. But one thing I'd mention:

Using Azure ACS i have created a [username/password] for every user via [ACS Service identities].

In production you shouldn't do this. Service identities are meant to authorize services that are trusted subsystems, where the key itself is not exposed externally. Keep in mind that ACS is a federation provider, not an identity provider. It's pricnipally designed for linking existing identity systems together and not for storing user credentials. If your system grows using service identities as user credentials, you'll run into problems with scale and user account (password) management.

As a proof of concept, it's fine. But for something real you might rely on a on-prem AD, consumer identity providers like facebook and google, or check out http://www.windowsazure.com/en-us/manage/services/identity/

Andrew Lavers
  • 8,023
  • 1
  • 33
  • 50
  • I have a limited number of users, and the [ACS Service identities] match my scaling plans. – Mahmoud Samy Apr 07 '13 at 09:03
  • The problems with service identities aren't limited to scale, a few things to also keep in mind is that that real identity providers come with some important parts built in, such as letting users change their own passwords and automated email reset of forgotten passwords. Service identity passwords are also stored as plaintext. – Andrew Lavers Apr 07 '13 at 15:06
  • Is it's possible to use gmail or yahoo as IdPs to authenticate my WCF service clients? – Mahmoud Samy Apr 07 '13 at 17:33
  • 1
    Yes, but signing in to google or yahoo would need to be done in a browser. You would have your client app pop up a browser control and send it to ACS, which then redirects to a google or yahoo sign in page. This an increasingly common pattern for client. For example, windows store apps have an integrated way of doing this: (http://msdn.microsoft.com/en-us/library/windows/apps/hh750287.aspx) – Andrew Lavers Apr 10 '13 at 16:52