BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

MIX 09: Justin Smith on Azure Access Control Services

by Jean-Jacques Dubray on Mar 22, 2009 |

Justin Smith, Sr. Program Manager at Microsoft, presented the Azure Access Control Services. The problem that ACS is targeting is "identity proliferation". He explained that he has about 300 identities on the Web. In his opinion:

the demand to reuse digital identity is rising

He argued that the key elements of the solution to this problem are: Federation, Provisioning, Synchronization (of profile data) and Authorization.

ACS is a service hosted by Microsoft that externalizes the authorization policy for federated users. ACS is part of Microsoft's Identity and Access Control Services. However, ACS is a standalone service that operates in a "claims in, claims out" mode. In addition, ACS integrates with on premise software and servers via the "Geneva" brand. Geneva is specifically targeted for on premise federation and authorization. The big difference with ACS is that ACS is entirely "turnkey", scalable and Microsoft guarantees its uptime. ACS only supports a subset of Geneva's features.

ACS is also part of Microsoft's Cloud Services which include Windows LiveID and Microsoft's Federation Gateway. It will of course be possible to host a Geneva server in the Azure platform.

An ACS project is made up of scopes that are used to specify rules. Rules can be chained. ACS is basically a hosted Secure Token Service (STS) and as such it manages signing and encryption keys. ACS rules can be set up with a simple Web interface. They are currently working on an AtomPub API to manage the rules programmatically.

The service directly integrates Active Directory and other identity infrastructures, with minimal coding.

ACS supports the following credentials:

  • Windows Live IDs
  • X.509 certificates
  • Traditional user names and passwords
  • Managed card and personal cards

ACS can however work with any identity. John Shewchuck, Technical Fellow at Microsoft, showed in a presentation earlier that day where he used .Net services in a Web application built from non-Microsoft technologies, namely, JQuery for the AJAX front-end, and Python deployed on Google App Engine. In this demo, John showed how people could login with their Google, Yahoo, Facebook or LiveID identities using the ACS to use this application.

Justin concluded his talk with 5 "Cool Access Control Tricks" that you can implement with ACS:

  1. Share a private Warcraft guild page with friends at Facebook/Yahoo in 2 lines of code
  2. Sell ad space in games and unable subleasing
  3. Give enterprise users automatic access to our python-based training application
  4. Generate access control reports across multiple applications and roles
  5. Give my friends permission to let their friends access our party pictures

 

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT