ACS Challenges – SSO, Identity Flow, and Authorization
Published: April 7, 2011
Updated: February 28, 2013
Applies To: Windows Azure
This topic outlines common challenges and solution approaches related to single sign-on (SSO), identity flow, and authorization in distributed cloud applications.
Consider the following schematic diagram for a canonical scenario of the distributed application.
The following are key characteristics for this canonical scenario.
The end user can have existing identities managed by industry identity providers, such as Windows Live ID (Microsoft account), Google, Yahoo!, Facebook, or enterprise Active Directory.
The end user interacts with the system that requires authentication and authorization via a web browser, or a rich client.
A web application might interact with downstream web services that require authentication and authorization.
There are several common security challenges related to the scenario. Consider the following:
How to externalize authentication for web applications?
How to externalize authentication for web services?
How to use Internet credentials with different applications?
How to use enterprise credentials with different applications?
How to flow a security context through physical tiers?
How to transform a user identity for further fine-grained claims-based authorization?
How to interoperate with others?
How to secure communications?
How to automate management?
Windows Azure Active Directory Access Control (also known as Access Control Service or ACS) provides a solution to these challenges. Using open standards and protocols, such WS-Federation, WS-Trust, SAML, OAuth 2.0, and SWT ACS enables users to build cloud and on-premise applications that can securely interoperate with multiple identity providers as depicted in the following:
To learn more about the ACS architecture and key components, see ACS Architecture.
ConceptsScenarios and Solutions Using ACS