ACS Challenges – SSO, Identity Flow, and Authorization

  • Article

Updated: June 19, 2015

Applies To: Azure

Summary

This topic outlines common challenges and solution approaches related to single sign-on (SSO), identity flow, and authorization in distributed cloud applications.

Scenario

Consider the following schematic diagram for a canonical scenario of the distributed application.

The following are key characteristics for this canonical scenario.

ACS - challenge

  • The end user can have existing identities managed by industry identity providers, such as Windows Live ID (Microsoft account), Google, Yahoo!, Facebook, or enterprise Active Directory.

  • The end user interacts with the system that requires authentication and authorization via a web browser, or a rich client.

  • The end user interacts with the system that requires authentication and authorization via a rich client running either on desktop, smartphone, or inside a browser (such as Silverlight or JavaScript).

  • A web application might interact with downstream web services that require authentication and authorization.

Challenges

There are several common security challenges related to the scenario. Consider the following:

  • How to externalize authentication for web applications?

  • How to externalize authentication for web services?

  • How to use Internet credentials with different applications?

  • How to use enterprise credentials with different applications?

  • How to flow a security context through physical tiers?

  • How to transform a user identity for further fine-grained claims-based authorization?

  • How to interoperate with others?

  • How to secure communications?

  • How to automate management?

Solution Approach

Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) provides a solution to these challenges. Using open standards and protocols, such WS-Federation, WS-Trust, SAML, OAuth 2.0, and SWT ACS enables users to build cloud and on-premise applications that can securely interoperate with multiple identity providers as depicted in the following:

ACS-solution

To learn more about the ACS architecture and key components, see ACS Architecture.

See Also

Concepts

Scenarios and Solutions Using ACS