MIX 09: Justin Smith on Azure Access Control Services
Justin Smith, Sr. Program Manager at Microsoft, presented the Azure Access Control Services. The problem that ACS is targeting is "identity proliferation". He explained that he has about 300 identities on the Web. In his opinion:
the demand to reuse digital identity is rising
He argued that the key elements of the solution to this problem are: Federation, Provisioning, Synchronization (of profile data) and Authorization.
ACS is a service hosted by Microsoft that externalizes the authorization policy for federated users. ACS is part of Microsoft's Identity and Access Control Services. However, ACS is a standalone service that operates in a "claims in, claims out" mode. In addition, ACS integrates with on premise software and servers via the "Geneva" brand. Geneva is specifically targeted for on premise federation and authorization. The big difference with ACS is that ACS is entirely "turnkey", scalable and Microsoft guarantees its uptime. ACS only supports a subset of Geneva's features.
ACS is also part of Microsoft's Cloud Services which include Windows LiveID and Microsoft's Federation Gateway. It will of course be possible to host a Geneva server in the Azure platform.
An ACS project is made up of scopes that are used to specify rules. Rules can be chained. ACS is basically a hosted Secure Token Service (STS) and as such it manages signing and encryption keys. ACS rules can be set up with a simple Web interface. They are currently working on an AtomPub API to manage the rules programmatically.
The service directly integrates Active Directory and other identity infrastructures, with minimal coding.
ACS supports the following credentials:
- Windows Live IDs
- X.509 certificates
- Traditional user names and passwords
- Managed card and personal cards
ACS can however work with any identity. John Shewchuck, Technical Fellow at Microsoft, showed in a presentation earlier that day where he used .Net services in a Web application built from non-Microsoft technologies, namely, JQuery for the AJAX front-end, and Python deployed on Google App Engine. In this demo, John showed how people could login with their Google, Yahoo, Facebook or LiveID identities using the ACS to use this application.
Justin concluded his talk with 5 "Cool Access Control Tricks" that you can implement with ACS:
- Share a private Warcraft guild page with friends at Facebook/Yahoo in 2 lines of code
- Sell ad space in games and unable subleasing
- Give enterprise users automatic access to our python-based training application
- Generate access control reports across multiple applications and roles
- Give my friends permission to let their friends access our party pictures