Windows Azure : Access Control Service - Concepts and Terminology

1. Identity Provider

An identity provider manages your identity and provides an authentication service for client applications. Identity providers authenticate users and issue Security Assertions Markup Language (SAML) tokens (defined in a moment). SAML tokens contain user IDs and other identity properties of the user (claims). Examples of some identity providers are Windows Live ID, Geneva Server, Google Accounts, Yahoo ID, and Sun.

2. Relying Party

The relying party is the application that relies on the claims issued by ACS to authorize a user and release appropriate access to the user. As a developer, you're primarily concerned with developing a relying party application that receives a SAML token filled with claims from ACS. You then process these claims in the relying party to provide appropriate access to the end user.

3. Security Token (SAML token)^[]

^[] You can find the SAML token profile at the WS-I web site: www.ws-i.org/deliverables/workinggroup.aspx?wg=samltoken.

A SAML token is an XML message consisting of sets of claims digitally signed by the issuing authority. The token is issued by a Secure Token Service (STS). The ACS and relying party both process claims from SAML tokens.

4. Secure Token Service (STS)

An STS is a subsystem responsible for building, signing, validating, cancelling, renewing, and issuing SAML tokens. An STS may support one or more of these features. It typically implements the protocol defined in the WS-Trust specification. Identity providers and ACS both have STS capabilities.

An R-STS is a resource STS that acts as an intermediate claims-transformation service to transform input claims from a partner STS to output claims specific to your application. This model is popular in extranet and cross-enterprise applications. ACS is an R-STS because it transforms input claims from identity providers to output claims. You can build your own STS and R-STS using Microsoft's Geneva Framework.

5. Request for Security Token (RST)

Every relying party requires a unique set of claims it can process. RST is the request made to an STS to acquire these claims to an STS. For example, a requestor may make this request to ACS to acquire claims for a relying party.

6. Request Security Token Response (RSTR)

The response sent by an STS to the RST is called an RSTR. This request contains the SAML token with claims signed by the STS.

7. Claim

A claim consists of information about the user or role interested in accessing an application (or relying party). A claim can have any information about the user depending on the configuration of the identity provider and ACS. A typical ACS scenario involves three kinds of claims:

• User claims: When a user sends a request for a security token to ACS, the request contains claims like the username, password, domain name, and so on, which are usually required for authentication.

• Input claims: When the user is authenticated with the identity provider, the identity provider issues a SAML token. The SAML token usually contains input claims to the ACS. These input claims may contain user claims as well as additional claims introduced by the identity provider in the SAML token.

• Output claims: ACS examines the input claims from the SAML token issued by the identity provider and maps them to output claims. ACS translates input claims into application- (or relying party–) specific output claims and includes them in the token that the relying party can use to authorize users and give appropriate access. For example, an input claim "Username: tejaswi_redkar" may map to an output claim "Role: Domain User." The relying party reads the Role as Domain User and provides Domain User privileges to the user. Input claims are mapped to output claims as a part of ACS configuration exercise covered later in this chapter.

8. Identity Federation

Identity federation is a set of mechanisms, standards, and patterns that define different ways of sharing identity information between domains. It reduces identity-maintenance costs and also simplifies software development because you don't have to design and maintain a separate identity store within the application. Federated identities also ease single sign-on between applications running in different domains and/or enterprises.

9. Windows Identity Foundation (Geneva Framework)

The Windows Identity Foundation is a Microsoft product used to create claims-based applications and services. You can build your own STS using the Windows Identity Framework if existing products don't fulfill your application requirements. The Windows Identity Framework simplifies the development of cross-domain security scenarios. It provides a framework for building passive (web browser-based) as well as active (Windows Communications Foundation) clients that support identity federation across a wide variety of clients and servers. ACS uses the Geneva Framework to provide STS capabilities. Geneva Server, Microsoft's next-generation claims-based identity federation server, is also built using the Geneva Framework.

10. Active Directory Federation Server (ADFS 2.0) (Geneva Server)

Geneva Server is a Microsoft product that provides STS functionality to Active Directory or any identity provider. It's the next version of Active Directory Federation Services (ADFS) and supports a claims-based identity model. It enables the creation of single sign-on between on-premises and cloud applications using the claims-based identity model. By definition, Geneva Server implements the protocol defined in the WS-Trust specification and so provides interoperability with other products like Sun OpenSSO and Novell Access Manager. Geneva Server supports not only passive clients like web browsers but also active stand-alone clients built using the Windows Communications Foundation (WCF).

11. Web Resource Authorization Protocol (WRAP) and Simple Web Token (SWT)

ACS implements the REST-friendly Web Resource Authorization Protocol (WRAP) that defines the Simple Web Token standard. The token issued by ACS adheres to the SWT specification, which you can find in the WRAP profiles on the OAuth web site at http://groups.google.com/group/oauth-wrap-wg. SWT tokens are HTTP form encoded key-value pairs signed with an HMAC-SHA256 cryptographic key. ACS always emits an SWT for different types of input tokens (such as SAML), so the relying party can always expect an SWT from ACS.