I'm building a web service on Azure. I need to authenticate the users preferably with usernames and passwords in my database, but to be honest, I'll do it with the easiest and simplest way. Azure is pretty easy to use and I'm not sure why I'm struggling to find and documentation on how to secure my web service. Can anyone offer any advice?
In case you want to authenticate users with username and password I'd give MembershipProvider a try.
Using ASP.NET Membership Provider authentincation in a WCF service
Search for wcf security. Azure will just host your service, but the development part is up to you.
Take a look at this msdn links:
http://msdn.microsoft.com/en-us/library/aa354513.aspx
http://msdn.microsoft.com/en-us/library/ff405740.aspx
Related
Would like to know how I can enable my wcf web service to provide encryption and authenication? Currently, my web service is connected to Azure(ACS) and ask the identity provider for authentication checking, I can implement the ssl tunneling for getting username and password. but how I can get the acs token and perform SSO? I want to know any current implementation or is there any good example to follow?
Many thanks,
Mike
There is a codeplex project with some great documentation.
http://acs.codeplex.com/documentation
When you mention SSO, I'm assuming you mean federated authentication with active directory. If so, there's a sample project available on MDSN with an example.
http://msdn.microsoft.com/en-us/library/hh127796.aspx
lot's of useful information and samples here http://msdn.microsoft.com/en-us/library/windowsazure/gg185912.aspx
I'm building an Azure-hosted WCF service that I'd like to secure with ACS using credentials stored in an SQL Server database. I've looked at a bunch of ADFS2 examples but have yet to figure out how to do this. I'm sure I'm missing something obvious here so any advice would be greatly appreciated. Thanks...
You should be able to create your own STS, like this:
http://dotnet.dzone.com/news/5-minutes-wif-make-your-aspnet
Just add in the code to look your user up.
This post discusses how to create the federation metadata required to add the STS to the Azure Access Control Service:
WIF manually generate federationmetadata.xml
In your original project, you should then be able to add the Access Control Service as the STS, and if everything is set up correctly, you'll see your new STS.
If you want to use ACS (not clear in your post why you need it though), you need to have your WCF service trust ACS and then configure ACS to trust an STS that can authenticate users agaist SQL. You cannot use ADFS for that as it currently only supports authentication with AD.
Your options are varied, but the simplest would be to create your own STS as Richard mentions, or use one that already does that like StarterSTS or the more moder Identity Server in CodePlex (both open source and contributed by Dominick Baier from Thinktecture).
The question though remains: why you need ACS? The simplest solution would be to have your WCF service trust the (SQL backed) STS directly.
Here are some examples of when ACS would be useful:
You need to trust eventually more than 1 Identity provider
The claims your service expects are not supplied by the identity provider (you need transformation/augmentation of claims).
You need token translation (e.g. SWT -> SAML)
Anyone know of a service oriented membership provider / service? I’m looking for a hosted solution that provides user registration and authentication services. Basically I don’t want to deal with managing user credentials for my applications. I’d rather leave that to a service that specializes in that. Anything like that out there?
Well, you can just use OpenId: http://openid.net/
OpenID or Facebook Connect suitable for your project?
I'd like to write a mobile location based application (iPhone, Andorid and BlackBerry) that will get and post data to my web server (hosted on Azure IIS) via WCF restful services.
What is the best way to authenticate my users?
REST authentication can be done custom (like API key auth), or using something like Basic Auth or OAuth. It depends slightly on the interaction you want. You can certainly use ACS to pretty easily secure a REST based service. However, this depends again on what you think you will have in terms of interaction.
As a starting point, I would look here at least (http://acs.codeplex.com/) to see how to use ACS and get started.
I'm doing something similar and I'm using encrypted tokens in my headers.
I'm sure there's a "standard" way of doing that sort of thing, but it was a lot easier just doing it myself.
Basically just using a shared secret to encrypt and a bit of:
WebOperationContext.Current.OutgoingResponse.Headers.Add("sec-token", WebSecurity.CreateToken(blah));
and
string inputToken = WebOperationContext.Current.IncomingRequest.Headers["sec-token"];
I have multiple NET.TCP services that provide access to my apps bussiness logic layer. I want to authenticate clients with username & password, within all the services, from one dedicated authentication service.
I have thinked that I can generate a custom authentication ticket when the authentication service logons the user and send it to other services. However when talking about security I prefer to use builtin implementations that have been already tested.
Is there a more WCF way to do this? Should I ever try this, or share the authentication logic and authenticate every service?
Thanks in advance
Yes, the (new) WCF way to do this is to use a (or implement your own) security token service based on the windows identity foundation framework.