Single Sign-On using Azure ACS

Category: Research and Development
Author: Deepak Bhatia
Published on: July 07, 2011

Introduction

Single sign-on (SSO) is an authentication mechanism that allows user to access multiple related or un-related applications using one logon account. With this authentication mechanism in-place, a user once authenticated, can access multiple applications without being prompted to login again.

Windows Azure Access Control Service (ACS) is an Azure service that provides out-of-the-box solution to web application and web services to support Authentication and Authorization. ACS removes the burden of implementing Authentication and Authorization from web site and web service developer. ACS integrates with standard authentication providers like Google, Yahoo!, Facebook, and Windows Live ID to provide Single Sign-On.

Problem

User View

In this ever growing world which is highly being dominated by internet, people are using many web applications to accomplish their tasks. For example I use hotmail for my personal mails, exchange hosted on Azure for my Office mails, Flipkart.com for purchasing books online,  an insurance website for paying premiums of my polices online and the list only gets longer every other day.  So obviously I have these many accounts and each has its own set of credentials. But there is big problem. I have to remember all these before I authenticate myself on each of this website. It surely is very tedious to keep track of credentials of all sites. And things become worse when some of these websites require changing passwords after a specific period.

Developer View

Most of the applications require some kind of authentication and authorization. Although not a business solution logic, most of the applications have custom authentication and authorization logic. In the absence of any solid authentication frameworks, developers have to do this repetitive task again and again with every application.

Solution

Ideally user should only need to identify herself once. Once she has authenticated her identity, she should be allowed to access every authorised resource across the web. This is where ACS orchestrates various identity providers to provide this single sign-on functionality.

When a web site integrates with ACS the user of the application must obtain a security Token issued by ACS. ACS issues a security token to user only once she authenticates herself with any standard authentication provider such as Google, Yahoo!, Facebook, or Windows Live ID. The same concept can be used to authenticate user on web service. Developer can use this standard out-of-the-box solution from Azure as-is in their applications after making few configuration changes in their application config file and configuring ACS on Azure. Configuration steps are very simple and well documented at MSDN. In addition, ACS provides a management service that focuses on authorizing user to access various resources in the application once she is authenticated. Again, authorization can be incorporated into the application after making few configuration changes in application config file.

ACS integrates with applications as shown in figure below:

 

Conclusion

In the expanding world of web, Azure ACS provides some very cool features to improve the user experience on web and remove burden from developers to implement custom authentication and authorization features in their application.

References                                                     

Securing Web Applications with ACS (Accessed on: July 07, 2011)

Azure Access Control Service Client Patterns (Accessed on: July 07, 2011)

A Developer’s Guide to the .NET Access Control Service (Accessed on: July 07, 2011)