Using Access Control Service for Identity Federation
October 17, 2011 Leave a comment
The Windows Azure Platform is full of goodies. Some are at the heart of the conversation – Web Roles, Worker Roles, SQL Azure, the fabric controller – these form a part of pretty much every conversation. Some are often mentioned, but usually in very little detail – the Marketplace, for example, or the Service Bus or the Caching capabilities.
Another topic I find that I often end up glossing over in conversations is the Access Control Service, not because it’s not useful or important, it is, simply because the platform is so big, and there’s only so much one can discuss in any one conversation, but federated identity is something I’m quite passionate about, and I just love the Windows Identity Foundation, so the Access Control Service is bound to be something close to my heart.
The Access Control Service is seemingly a fairly simple offering – on it’s own, in most circumstances, it does not really do much per-se, but, coupled with the Windows Identity Foundation and the .net framework, it enables federated identity scenarios (think single-sign on within, as well as across, organizations) easily, reliably and securely.
Using ACS, you can take any web application and, in just a few clicks, allow users to authenticate to it using all the major public identity providers (Windows Live ID, Yahoo, Google and Facebook) as well as, if you have ADFS, your corporate identity, or – if you need to – any other custom Secure Token Service that supports industry standards.
Want a proof? take a look at this walk through that shows how to enable a web site to use Google ID.
As a developer, ACS takes away the need to build authentication mechanism, store passwords, build password reset capabilities and all of that, you can simply leverage other identity providers. all that’s left for you to do is to enhance the given with your own profile information (as some of these provider will only give you a GUID for that user, no personal information is shared, which is a good thing!)
So – using the ACS can be a great relief for anyone building a public web site as it saves you a lot of work and your users the need to remember yet another set of credentials, but the support for ADFS means you can also protect your web assets with your corporate identity, no matter where they are deployed (your data centre, someone else’s data centre or the public cloud) and also – considering the Consumerization of IT trend – allowing users access to enterprise applications using external identities in a managed way may not be a bad thing.