Saturday, January 4, 2014

Securing a Web Service with Azure ACS

The Identity and Access Add-In to Visual Studio does a great job of securing a web site with a variety f mechanisms including Azure ACS.  I was bitterly disappointed to find it did not offer the same ability for a Web Service.  

In the end my salvation came by using the Sentinet Service Repository which does allow me to virtualize the web service and can include authentication with ACS.  It does so using binding configuration and this extract does the job of providing ACS authentication.  Note that you need to be using HTTPS protocol.

I've not had a chance yet to add this directly to a web service to see if it works.  My hope is that just adding it will be enough and then all I need to do is pass in the user name and password when I call the web service.  What ACS will do is produce a SAML token which will be encrypted within the SOAP message. 

    <binding name="IssuedToken">
      <security authenticationMode="IssuedToken">
          <issuerMetadata address="" />
          <issuer address="" binding="ws2007HttpBinding" bindingConfiguration="AcsBinding" />
      <httpTransport />
    <binding name="AcsBinding">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="false" />

No comments: