1.1. Provisioning Your ACS Account
To use ACS, you have to first create an ACS account from the AppFabric developer portal at http://netservices.azure.com.
The provisioning process has changed over the past year from limited
early adopter access through tokens to direct commercial access. The
AppFabric developer portal directs you appropriately to create new
accounts. For the purpose of this exercise, I'm using my own account;
but for you to use ACS, you must create your own ACS account. During
the provisioning process, you may be asked to create a new project in
your account.
1.2. Creating a Service Namespace
In the new ACS account, you can
create a new service namespace. In the following examples, I use a
namespace named proazure-1 that I created at the beginning of the article. You must create your own service namespace and modify the code
accordingly to make it work with your ACS account. Figure 3 shows the service namespace page for the proazure-1 service namespace.
1.3. Designing the Relying Party Claims
When you design a
claims-based identity model, one of the important design tasks you must
complete is designing claims for the relying party. The relying party
is the web service or web application that you want to protect using a
claims-based identity model. Most web services and web applications
already have some kind of role-based authorization model that defines
privileges for end users. In most cases, the role-based authorization
model can be easily transformed into a claims-based model by converting
the roles to claims; you can keep the privileges the same as in the
role-based authorization model. One advantage of moving to the
claims-based identity model is that you can remove the end user
authentication from your web application. Your web service or web
application processes the tokens issued by ACS and validates the claims
issued by ACS regardless of the authentication method used to
authenticate the end user.
For the ACSMachineInfo web service, Table 7-1
defined the claims expected in the token when an end user accesses the
web service. Only two roles are defined: User and Administrator. The
Administrator can access all the methods, whereas the User can access
only three out of four methods. The web service should not allow any
User role to access the EncodeString() method.
NOTE
In the interest of
keeping the example conceptual to ACS, it's very simple. You can
enhance this example to provide more complex web service scenarios.
1.4. Designing ACS Rules to Map Input Claims to Output Claims
After you design the claims
for your web service, you need to design the input and output claims
for ACS. In this example, I use only one input token issuer, so the
design of the mapping is simple; complex scenarios can mave multiple
input claims from multiple issuers that need to be mapped to a single
set of output claims expected by the relying party. This example maps
the input claim type group to the output claim type action. Table 2 lists the input claim types and values with their corresponding output claim types and values.
Table 2. Claims Mapping
Input Claim Type | Input Claim Value | Output Claim Type | Output Claim Value |
---|
group | user | action | getmachinename |
group | user | action | getuserdomainname |
group | user | action | getosversion |
group | admin | action | encodestring |
If you're using multiple input token issuers, you have one table for each provider that maps input claims to output claims.
1.5. Creating ACS Resources (Token Policy, Scope, Issuer, and Rules)
After you've identified the
claims, you can create the ACS objects using the ACS Management
service. You can either use Acm.exe or the AC Management browser tool.
To use Acm.exe, first configure the Acm.exe.config file to point to
your service namespace. If you don't do that, then you must specify the
service namespace and the management key for every Acm.exe execution.
Open Acm.exe.config, and configure the service namespace and management key as shown in Listing 1.
Example 1. Acm.exe.config
<?xml version="1.0" encoding="utf-8" ?> <configuration> <appSettings> <add key="host" value="accesscontrol.windows.net"/> <add key="service" value="{Enter your service namespace name here}"/> <add key="mgmtkey" value="{Enter your management key here}"/> </appSettings> </configuration>
|
After configuring
Acm.exe, you can use it to create ACS resources. When you configure ACS
resources for the first time, you must create the resources in the
following order because of their dependencies on each other: token
policy, scope, issuer(s), rules.