0

I understand ACS is being phased out in favor of WAAD. As I prepare to delve into Azure for the first time I have a few questions. I already have an Azure account (linked with my MSDN account).

Under ACS, I would create a namespace for my application, configure it with Idps and claims mapping. I would point my application (a RESTful API via WebAPI2) to the ACS federation endpoint for my namespace.

Under WAAD, I've seen where I can add my own application. When I create the new application, is this creating a tenant in my directory? I dont see where I can register my Idp's and configure the Idp's for my relying party. In addition to authenticating via social networks (like facebook/google/etc), I'm going to want to write a custom Idp to hit against my on-premesis user store. Is this possible in WAAD? Finally when creating the application (tenant) in WAAD, its prompting me for a Signon URL. Isn't WAAD supposed to manage the signon, the way it did under ACS? when I defended a website via ACS, the user was redirected to the ACS sign in page, where they could choose from a list of Idp's for login. Why then, under WAAD, do I, the app developer, need to code a sign on page? I'm pretty confused about this.

cdarrigo
  • 964
  • 1
  • 8
  • 26

1 Answers1

1

WAAD does not replace ACS. WAAD is a single identity provider (IdP), whereas ACS can act as a Security Token Service (STS) for multiple IdPs, but is not itself an IdP. Think of ACS more as a broker that has taken some of the work out of integrating with some of the common identity providers out there (Facebook, Google, Yahoo, Live, etc) so that you as the application developer can code to one interface instead of multiple.

My suggestion would be to continue to use ACS as your single point of contact for federated identities and add WAAD as an additional IdP to those applications in your suite that require it. This is a pattern we follow in a number of our applications where we use ACS as the main STS and then expose one or more of the IdPs to an application depending on our needs.

As to your question about a custom IdP pointing to an on premise user store you might consider using Thinktecture Identity Server instead of rolling your own. You can expose Thinktecture Identity Server from ACS just as you would any other IdP in your suite.

Nathan
  • 1,016
  • 7
  • 16
  • That's not what Microsoft is saying.. http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx – cdarrigo Apr 24 '14 at 16:43
  • What that article is talking about is their future plans. If you are writing an application today and need the ability to use multiple IdPs from a single point of contact you still need to use ACS. Apparently they plan to move those capabilities into WAAD, but they haven't yet. In my opinion the recommendation in that last sentence of that article is poorly worded and misleading. – Nathan Apr 24 '14 at 16:49
  • Considering that article is about a year old, its unlcear the current state of WAAD vs ACS. – cdarrigo Apr 24 '14 at 17:50
  • What @Nathan says is accurate -- Azure AD is your IdP; ACS is a broker between multiple IdPs. The features of ACS are being moved to AAD. When you register an application in AAD, you already have a tenant -- directory and tenant are synonymous. Upon registration, you are simply making AAD aware of your application so that it can handle authentication of users as an IdP. Sounds like you need to keep using ACS for your use case until the service is transitioned into AAD. – Sean Osterberg Apr 24 '14 at 19:11