ACS Federation question - wcf

I'm building an Azure-hosted WCF service that I'd like to secure with ACS using credentials stored in an SQL Server database. I've looked at a bunch of ADFS2 examples but have yet to figure out how to do this. I'm sure I'm missing something obvious here so any advice would be greatly appreciated. Thanks...

You should be able to create your own STS, like this:
http://dotnet.dzone.com/news/5-minutes-wif-make-your-aspnet
Just add in the code to look your user up.
This post discusses how to create the federation metadata required to add the STS to the Azure Access Control Service:
WIF manually generate federationmetadata.xml
In your original project, you should then be able to add the Access Control Service as the STS, and if everything is set up correctly, you'll see your new STS.

If you want to use ACS (not clear in your post why you need it though), you need to have your WCF service trust ACS and then configure ACS to trust an STS that can authenticate users agaist SQL. You cannot use ADFS for that as it currently only supports authentication with AD.
Your options are varied, but the simplest would be to create your own STS as Richard mentions, or use one that already does that like StarterSTS or the more moder Identity Server in CodePlex (both open source and contributed by Dominick Baier from Thinktecture).
The question though remains: why you need ACS? The simplest solution would be to have your WCF service trust the (SQL backed) STS directly.
Here are some examples of when ACS would be useful:
You need to trust eventually more than 1 Identity provider
The claims your service expects are not supplied by the identity provider (you need transformation/augmentation of claims).
You need token translation (e.g. SWT -> SAML)

Related

Azure WCF Validation

I'm building a web service on Azure. I need to authenticate the users preferably with usernames and passwords in my database, but to be honest, I'll do it with the easiest and simplest way. Azure is pretty easy to use and I'm not sure why I'm struggling to find and documentation on how to secure my web service. Can anyone offer any advice?
In case you want to authenticate users with username and password I'd give MembershipProvider a try.
Using ASP.NET Membership Provider authentincation in a WCF service
Search for wcf security. Azure will just host your service, but the development part is up to you.
Take a look at this msdn links:
http://msdn.microsoft.com/en-us/library/aa354513.aspx
http://msdn.microsoft.com/en-us/library/ff405740.aspx

Thinktecture Identity server vs Authorization server

I am researching on this topic last weeks and unfortunately I can't figure out. I understand the difference between authentication and authorization.
I will appreciate any guidance on the topic.
What I need as general is to implement single sign on for several web sites which are driven with apis which also should handle authentication. The users should be able to register/login with username/pass or respectively through any third party service like facebook, google+, twitter etc.
In the scenario above what is the better approach? Should I use only identity server, or only authorization server or both?
Thank you in advance.
Start with IdentityServer - this is your identity management system.
AuthorizationServer in addition is a full featured OAuth2 implementation that can use IdentityServer as a user store.
http://leastprivilege.com/2013/06/16/relationship-between-identityserver-and-authorizationserver/
Your scenario is more like Authentication which is confirming the identity of the user. On the other hand Authorization is if a person or if a role can execute some operation.
When Identity Server 3 was launched, it deprecated AS: The Future of AuthorizationServer, because all the AS features ase now included in IS.

Using ACS as a service with custom identity provider

We are working in an iOS application and we use back-end in azure. We have 2 types of login, one is Facebook login (using Fb as identity provider) and the other will be login directly to our system.
We decided to use ACS but we had a bunch of technical problems. My question is is it possible to create custom identity provider, which will be a service (for example WCF or WEB API) to generate a token that we pass the ACS to get the claim token. Does ACS support that kind of service interface? If so what what is the practice of generating tokens in our custom identity provider?
Thanks in advance,
Deuce
ACS can support any identity provider that speaks a protocol it understands. Depending on the backend behind your identity provider, you can use something like ADFS or write your own identity provider using WIF. ACS doesn't support mixing and matching web-based identity providers with WCF-based ones, which means that you'll need to expose a website that ACS can redirect a browser to using the WS-Federation protocol. The only external contract you have is that ACS will redirect users to you and you need to log them in (what that means for your IdP is up to you) and issue a token back to ACS.
There are literally whole books on how to write your own STS using WIF, to get started there are a number of resources that can help, including the WIF SDK (which provides a template for the STS), this whitepaper (see the section "Using Windows Identity Foundation to Build a Security Token Service"), or this blog post.

How to secure the wcf web service with the use of ACS(Azure)

Would like to know how I can enable my wcf web service to provide encryption and authenication? Currently, my web service is connected to Azure(ACS) and ask the identity provider for authentication checking, I can implement the ssl tunneling for getting username and password. but how I can get the acs token and perform SSO? I want to know any current implementation or is there any good example to follow?
Many thanks,
Mike
There is a codeplex project with some great documentation.
http://acs.codeplex.com/documentation
When you mention SSO, I'm assuming you mean federated authentication with active directory. If so, there's a sample project available on MDSN with an example.
http://msdn.microsoft.com/en-us/library/hh127796.aspx
lot's of useful information and samples here http://msdn.microsoft.com/en-us/library/windowsazure/gg185912.aspx

Authentication when using Security Token Service

I have created a Security Token Service (STS), an service with a reference to the STS and an example desktop application.
This works as expected when using Windows authentication and Message security, a token is retrieved from the STS and the service method is called successfully. The service returns a string containing the current users identity, which returns my AD username.
I have a requirement however to authenticate against a database rather than AD. I have tried creating a CustomUserNameValidator (in the STS, is this the correct place?) and referencing it in the web.config. I then provide the credentials as shown below.
SampleServiceReference.SampleServiceClient client = new SampleServiceReference.SampleServiceClient();
client.ClientCredentials.UserName.UserName
= "alex";
client.ClientCredentials.UserName.Password
= "pass";
I believe the certificates are set up correctly (all using 'localhost'), however I receive the following exception when calling the service:
System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
Whatever I try seems to fail. Is what I am describing even possible? Does the service client also pass the client credentials through to the STS, or am I completely misunderstanding what is happening here?
This stackoverflow question is similar, however I have checked the audience URL and it seems ok. WIF STS ID3242
Has anyone got any advice on how I can achieve custom authentication when using a STS?
Update: the code samples referenced below are not available anymore (Codeplex doesn't exist). The book download does and it is here: https://www.microsoft.com/en-us/download/details.aspx?id=28362
There's a simple example of what you need here: http://claimsid.codeplex.com
Look at either sample 8 or 4.
Small clarification though. The username/password authentication is on the STS, not on your service. Your service will authenticate with a security token obtained from the STS.
Have a look at StarterSTS.
The full source code is provided and it authenticates against the standard aspnetdb roles based SQL DB. There are a number of videos to help you get it up and running.
This project was then turned into ASP MVC - IdentityServer. This isn't quite as mature wrt the help files etc.