Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Content Map

 Subscribe for updates by RSS
 Send to friend by Email
 Share on Facebook 

***Update: ACS content is live on MSDN and can be quickly accessed using human friendly URL - http://msdn.com/acs

---

This article is a collection of resources that will help you to get up and running with Windows Identity Foundation (WIF) and Windows Azure AppFabric Access Control Service (ACS) v2.

Think of it as of a map that helps you navigate WIF and ACS terrain.

Below is the Table of Contents  (TOC) to help you better navigate through the resources. The content organized the way that simplifies the task of finding the answer. You do not have to parse through the whole article – skim through the TOC and find relevant section.

• Getting Started
  • What is it?
  • How does it fit?
  • How To Make It Work?
• Case Studies
• WIF/ACS Anatomy
  • Architecture
  • Identification (how a client identifies itself)
  • Authentication (how client's credentials validated)
  • Identity flow (how the token flows through the layers/tiers)
  • Authorization (how relying party - application or service - decides to grant or deny access)
  • Monitoring
  • Administration
• Quality Attributes
  • Supportability
  • Testability
  • Interoperability
  • Performance
  • Security
  • Flexibility
• Content Channels
  • MSDN/Technet
  • Codeplex
  • Code.MSDN
  • Blogs
  • Channel9
  • SDK
  • Books
  • Conventions
  • Forums
• Content Types
  • Explained
  • Architecture scenarios
  • Guidelines
  • How-to's
  • Checklists
  • Troubleshooting cheat sheets
  • Code samples
  • Videos
  • Slides
  • Documents
• Related Technology
• Industry
• Additional Q&A

Getting Started 

What is it?

The following resource will help you understand what Windows Identity Foundation and Azure AppFabric Access Control Service (ACS) are so you will be able to ask a more focused scenario driven questions.

• Azure AppFabric (includes ACS) Datasheet for Customers - PDF
• Azure AppFabric (includes ACS) Datasheet for Partners - PDF
• Azure AppFabric (includes ACS) Briefing Deck for Business Decision Makers - Slides
• Azure AppFabric (includes ACS) Briefing Deck for Technical Decision Makers - Slides
• Azure AppFabric (includes ACS) Partner Focused Briefing Deck for Business Decision Makers - Slides
• Azure AppFabric (includes ACS) Partner Focused Briefing Deck for Technical Decision Makers - Slides
• Introduction to the AppFabric Access Control
• Introduction to the AppFabric Access Control Service V2
• Windows Identity Foundation Overview - Video slides
• WIF Workshop 1: Introduction to Claims-Based Identity and WIF - Video
• What are the Access Control and Service Bus? - Video
• What is the Access Control Service? - Video.
• Introducing the New Features of the August Release of the Access Control Service Labs - Video
• Claims-Based Identity For Windows - PDF Document
• Security Talk: Azure Federated Identity Security Using ADFS 2.0 - Video 

How does it fit?

The following are some of the common Application Architecture Scenarios where Windows Identity Foundation and/or Azure AppFabric Access Control Service can be used. Note, there is more that are not covered yet in this article.

• App Scenario – ASP.NET to AD with Claims
• App Scenario – ASP.NET Claims Auth with AD, Federated
• App Scenario – ASP.NET Claims Auth to WCF
• App Scenario – REST with AppFabric Access Control
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – Web Application Scenario
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – REST Web Service Application Scenario
• Windows Phone 7 and RESTful Services: Delegated Access Using Azure AppFabric Access Control Service (ACS) And OAuth 

How To Make It Work?

Following are few how-to's to get you up and running with Windows Identity Foundation and Azure AppFabric Access Control. After walking through these your probably want to skip to the WIF Anatomy and Quality Attributes sections. If you are interested in deeper learning consider skipping to the Video section where you can find the references to the whole Identity Workshop by Vittorio Bertocci, or you could just grab his book - found in books section.

• Windows Identity Foundation (WIF) By Example Part I – How To Get Started
• Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
• Azure AppFabric Access Control Service (ACS) v2.0 Getting Started Walkthrough
• Use Access Control Service to Federate with Multiple Business Identity Providers
• Azure Training Kit - Introduction to the AppFabric Access Control Service (September 2010 Labs Release) 

Case Studies

• MSIT Showcase Enhancing Federation Services for Internal and External Partners
• Quest Software - Systems Manager Offers Security-Enhanced, Hosted Solutions with Programming Framework
• Courts of Denmark Courts Automate Processes for Citizens, Workers with Federated Identity Solution
• Province of British Columbia - Government Builds Foundation for Agility with Identity Federation Solution  

WIF/ACS Anatomy 

Architecture

• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – Web Application Scenario
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – REST Web Service Application Scenario 

Identification (how a client identifies itself)

• How to: Using the FederatedPassiveSignIn ASP.NET User Control
• WIF and WCF: Built-in Bindings Overview
• WSTrustChannelFactory and WSTrustChannel
• Using Windows Identity Foundation for Creating Identity-Driven Experiences in Microsoft Silverlight - Video Slides
• How to identify from Silverlight to WCF service? – check on Identity Developer Training Kit , there is a sample that covers it. 

Authentication (how client's credentials validated)

• How to: Build an ASP.NET STS - A passive STS that implements security token issuance using the WS-Federation passive protocol.
• How to: Build a WCF STS - An active STS that implements the WS-Trust protocol.
• Azure AppFabric Access Control Service (ACS) - Available Identity Providers
• How To: Configure Facebook as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• How To: Configure Google as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• How To: Configure Yahoo! as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• Windows Identity Foundation (WIF) - How to protect static content with the Federation Authentication Module (FAM)

Identity flow (how the token flows through the layers/tiers)

• Identity Delegation Scenario
• Sample Custom Attribute Store Implementation
• The Role of the Claim Rule Language

Authorization (how relying party - application or service - decides to grant or deny access)

• Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
• IsInRole Authorization in ASP.NET Application Configured for Federated Authentication Using Windows Identity Foundation (WIF) and ClaimsAuthenticationManager
• IsInRole Authorization in ASP.NET Application Configured for Federated Authentication Using Windows Identity Foundation (WIF) and Azure AppFabric Access 
• Authorization With RoleManager For Claims Aware (WIF) ASP.NET Web Applications
• Step-Up Authentication Scenario

Monitoring

• How to Enable Tracing
• How to log WCF and WIF traces to different tracing sources
• How to use svctraceviewer.exe for troubleshooting
• How to use svctraceviewer.exe to inspect WIF traces
• Tracing Scenarios - What to look for in the trace
• Fiddler Inspector for Federation Messages
• Active Directory Federation Services 2.0 Management Pack Guide

Administration

• Windows Identity Foundation (WIF) Configuration Sections in ASP.NET Web.Config
• Windows Identity Foundation (WIF) Configuration – New Topic on MSDN
• Working with the Management Portal - Azure AppFabric Access Control Service (ACS)
• Windows Azure AppFabric Access Control Management Tool (Acm.exe)
• WIndows Identity Foundation Configuration explained – search first occurrence of authentication mode="None” on the page
• How to: Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil
• Establishing Trust from a WCF Relying Party Service to an STS using FedUtil
• WIF Configuration – Part 1: ServiceConfiguration
• WIF Configuration – Part 2: SecurityTokenHandlerConfiguration
• WIF Configuration – Part 3: Extensibility
• Windows Identity Foundation (WIF) Configuration – Part I
• Windows Identity Foundation (WIF) Configuration – Part II (<cookieHandler>, <chunkedCookieHandler>, <customCookieHandler>)
• Windows Identity Foundation (WIF) Configuration – Part III (<wsFederattion>)
• Windows Identity Foundation (WIF) Configuration – Part IV (Certificate Related Configuration)
• Windows Identity Foundation (WIF) Configuration – Part V (<securityTokenHandlers>)

Quality Attributes

Supportability

Supportability defines how easy it is for operators, developers, and users to understand and use the application, and how easy it is to resolve errors when the system fails to work correctly.

• How to Enable Tracing
• How to log WCF and WIF traces to different tracing sources
• How to use svctraceviewer.exe for troubleshooting
• How to use svctraceviewer.exe to inspect WIF traces
• Tracing Scenarios - What to look for in the trace
• Fiddler Inspector for Federation Messages
• Working with the Management Portal - Azure AppFabric Access Control Service (ACS)
• Windows Azure AppFabric Access Control Management Tool (Acm.exe)
• Active Directory Federation Services 2.0 Management Pack Guide

Testability

Testability is a measure of how easy it is to create test criteria for the system and its components, and to execute these tests in order to determine if the criteria are met. Good testability makes it more likely that faults in a system can be isolated in a timely and effective manner.

• SelfSTS – SelfSTS is a tool that issues token to anyone without authentication so that it’s easy to mock up tests and evaluate the results. Consider scanning through the following example that explains step-by-step walkthrough of using SelfSTS - Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• Identity Lab - Identity Lab is a set of hosted services to support testing of Identity Protocols.

Interoperability

Interoperability is the ability of diverse components of a system or different systems to operate successfully by exchanging information, often by using services. An interoperable system makes it easier to exchange and reuse information internally as well as externally.

• ADFS 2.0 and Windows 2003 DS
• AD FS 2.0 Step-by-Step Guide: Federation with CA Federation Manager
• AD FS 2.0 Step-by-Step and How To Guides .
• AppFabric SDK for Java Developers
• AppFabric SDK for Ruby Developers
• Identity Federation Interoperability – WIF + ADFS + Sun’s OpenSSO
• Identity Federation Interoperability – WIF + ADFS + IBM Tivoli Federated Identity Manager
• Identity Federation Interoperability – WIF + ADFS + CA SiteMinder
• How To: Configure Facebook as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• How To: Configure Google as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• How To: Configure Yahoo! as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• Improving the Usability and Security of OpenID - Video Slides
• Windows Azure AppFabric Access Control Service (ACS) v2 – Programmatically Adding OpenID as an Identity Provider Using Management Service

Performance

Performance is an indication of the responsiveness of a system to execute any action within a given time interval. It can be measured in terms of latency or throughput. Latency is the time taken to respond to any event. Throughput is the number of events that take place within a given amount of time.

• Problems with big claim collection sizes
• Optimizing Performance (search for the title on the referenced page)

Security

Security defines the ways that a system is protected from disclosure or loss of information, and the possibility of a successful malicious attack. A secure system aims to protect assets and prevent unauthorized modification of information.

• Threats and Countermeasures
• Security Considerations
• Windows Azure AppFabric Access Control Service (ACS) v2 – Threats & Countermeasures
• Windows Identity Foundation (WIF) Security for ASP.NET Web Applications – Threats & Countermeasures

Flexibility

Flexibility is the ability of a system to adapt to varying environments and situations, and to cope with changes in business policies and rules. A flexible system is one that is easy to reconfigure or adapt in response to different user and system requirements.

• Migrating From Windows Integrated Authentication to Claims Aware
• Azure AppFabric Access Control Service (ACS) & ADFS v2.0 Integration

Content Channels

MSDN/Technet

• A Guide to Claims–based Identity and Access Control
• Windows Identity Foundation hub
• WIF SDK
• AD FS 2.0 Step-by-Step and How To Guides
• AppFabric Access Control
• Identity Developer Training Kit

Codeplex

• Fiddler Federation Inspector v0.1
• Access Control Service Samples and Documentation (Labs)

Code.MSDN

• Fabrikam Jets - Integrating Codename "Dallas" with AppFabric Access Control
• SecurityTokenVisualizerControl

Blogs

• Claims-Based Identity blog
• Vittorio Bertocci
• Mike Jones
• Dominick Baier
• Alik Levin's

Channel9

• Introducing the New Features of the August Labs Release of the Access Control Service
• ACS Labs Walkthrough

SDK Reference

• WIF SDK
• Azure AppFabric ACS Labs help Resources

Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices)

Conventions

• PDC10
• PDC09

Forums

• Claims based access platform (CBA), code-named Geneva
• Security for the Windows Azure Platform
• Windows Live ID: Development

Content Types

Explained

• Windows Identity Foundation (WIF) Explained – Web Browser Sign-In Flow (WS-Federation Passive Requestor Profile)
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – Web Application Scenario
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – REST Web Service Application Scenario
• Windows Identity Foundation - Integration with IIdentity and IPrincipal
• Azure AppFabric Access Control Service (CAS) Prerequisites
• WS-Federated Authentication Module (FAM) Overview WIF Processing pipeline explained.
• Working With the Security Token Service (STS)
• Protocols Supported By Windows Identity Foundation (WIF)
• Windows Identity Foundation Configuration explained - go to the first occurrence of authentication mode="None” on the page

Architecture scenarios

• App Scenario – ASP.NET to AD with Claims
• App Scenario – ASP.NET Claims Auth with AD, Federated
• App Scenario – ASP.NET Claims Auth to WCF
• App Scenario – REST with AppFabric Access Control 
• TechEd 2010–Architecting Claims-aware Applications (Video, Slides)
• Single Sign-On from Active Directory to a Windows Azure Application Whitepaper

Guidelines

• Security Best Practices For Developing Windows Azure Applications

How-to's

• How To: Outsourcing Authentication to Third Party via Azure AppFabric Access Control Service (ACS)
• How To: Windows Identity Foundation (WIF) By Example Part I – How To Get Started
• How To: Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• How To: Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
• How To: Creating Federated Login Pages for Application using Azure AppFabric Access Control Service (ACS)
• How To: Configure Active Directory Federation Services 2.0 as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• How To: Configure Facebook as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• How To: Configure Google as an Identity Provider for Azure AppFabric Access Control Service (ACS)
• How To: Configure Yahoo! as an Identity Provider for Azure AppFabric Access Control Service (ACS)

Checklists

• Windows Azure Security Notes - skip to p.75, Checklist: Securing Windows Azure Applications
• Windows Azure Web Role ASP.NET Application and Access Control Service (ACS) V2 – Quick Checklist

Troubleshooting cheat sheets

• Windows Identity Foundation (WIF) - A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
• Tracing Scenarios - What to look for in the trace
• AD FS - How to invoke a WS-Federation sign-out
• AD FS 2.0 - "An unexpected error has occurred" error or blank page displayed attempting to log on to SharePoint, Event ID 23 logged
• AD FS 2.0 - The service fails to start. "The service did not respond to the start or control request in a timely fashion. "
• AD FS 2.0 - Query notification delivery failed because of the following error in service broker: 'The conversation handle "{GUID} is not found.'
• Windows Identity Foundation (WIF) - FedUtil.exe on Windows Server 2003 fails with "Object Identifier (OID) is unknown."
• AD FS 2.0 - Prompted for credentials when you are expecting to be allowed anonymous access
• Windows Identity Foundation (WIF) - How to change certificate chain validation settings for web applications
• AD FS 2.0 - How to set the Primary Federation Server in a WID Farm
• AD FS 2.0 - The Admin event log shows Error 111 with System.ArgumentException: ID4216
• Windows Identity Foundation (WIF) throws exception: "ID6018: Digest verification failed for reference"
• AD FS 2.0 - Browsing to Federation Metadata fails "Unable to download federationmetadata.xml"
• AD FS 2.0 - Continuously prompted for credentials when using FireFox 3.6.3
• AD FS 2.0 - How to configure the SPN (servicePrincipalName) for the service account
• AD FS 2.0 - Continuously prompted for credentials while using Fiddler Web Debugger
• AD FS 2.0 - "Script is disabled. Click Submit to continue."
• AD FS 2.0 - How to enable and immediately use AutoCertificateRollover
• AD FS 2.0 - How to perform an unattended installation of an AD FS 2.0 STS or Proxy
• AD FS 2.0 - The AD FS 2.0 Windows Service fails to start - Event 102 and 220 logged
• AD FS 2.0 - How to manually run the AD FS 2.0 Initial Configuration
• AD FS 2.0 - "ID4037: The key needed to verify the signature could not be resolved from the following security key identifier"

Code samples

• Fabrikam Jets - Integrating Codename "Dallas" with AppFabric Access Control
• A Guide to Claims-Based Identity and Access Control – Code Samples
• Azure AppFabric Access Control Service (ACS) - ASP.NET Simple Forms
• Azure AppFabric Access Control Service (ACS) - ASP.NET Simple MVC
• Azure AppFabric Access Control Service (ACS) - ASP.NET Simple Service
• Azure AppFabric Access Control Service (ACS) - WCF Username Authentication
• Azure AppFabric Access Control Service (ACS) - WCF Certificate Authentication
• www.fabrikamshipping.com - complete functional end to end multitenant application including full source code. Uses WIF and ACS for authentication and authorization

Videos

• Windows Azure Platform Security Essentials: Module 2 – Identity Access Management
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites
• Video: What’s Windows Azure AppFabric Access Control Service (ACS) v2?
• Video: What Windows Azure AppFabric Access Control Service (ACS) v2 Can Do For Me?
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture
• WIF Workshop 1: Introduction to Claims-Based Identity and WIF
• WIF Workshop 2: Lab on Basic Web Sites
• WIF Workshop 3: Scenarios and Architecture I
• WIF Workshop 4: Scenarios and Architecture II
• WIF Workshop 5: Lab about Web Sites and STS
• WIF Workshop 6: WIF ASP.NET Pipeline and Extensibility Points
• WIF Workshop 7: WIF and WCF
• WIF Workshop 8: Lab about WIF and WCF
• WIF Workshop 9: WIF and Windows Azure
• WIF Workshop 10: Lab about WIF and Windows Azure
• ACS Labs Walkthrough
• Access Control Service - Getting Started
• Access Control Service & ADFS v2.0 Integration
• Identity “Mash-up” Federation Demo using Multiple Protocols (OpenID and WS-Federation)
• Fabrikam Jets - Integrating Codename "Dallas" with AppFabric Access Control
• p&p Claims Identity and Access Control Guide - A look into the Single Sign On scenario
• Identity Federation Interoperability – WIF + ADFS + Sun’s OpenSSO
• Identity Federation Interoperability – WIF + ADFS + IBM Tivoli Federated Identity Manager
• Identity Federation Interoperability – WIF + ADFS + CA SiteMinder
• TechEd 2010–Architecting Claims-aware Applications (Video, Slides)

Slides 

• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites - Slides
• Video: What’s Windows Azure AppFabric Access Control Service (ACS) v2? - Slides
• Video: What Windows Azure AppFabric Access Control Service (ACS) v2 Can Do For Me? - ** Slides**
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture - Slides
• Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites - 
• Azure AppFabric (includes ACS) Briefing Deck for Business Decision Makers - Slides
• Azure AppFabric (includes ACS) Briefing Deck for Technical Decision Makers - Slides
• Azure AppFabric (includes ACS) Partner Focused Briefing Deck for Business Decision Makers - Slides
• Azure AppFabric (includes ACS) Partner Focused Briefing Deck for Technical Decision Makers - Slides
• Windows Identity Foundation Overview slides
• Software + Services Identity Roadmap Update slides
• Improving the Usability and Security of OpenID
• Using Windows Identity Foundation for Creating Identity-Driven Experiences in Microsoft Silverlight
• TechEd 2010–Architecting Claims-aware Applications -  Slides 

Documents

• Single Sign-On from Active Directory to a Windows Azure Application Whitepaper
• Azure AppFabric (includes ACS) Datasheet for Customers - PDF
• Azure AppFabric (includes ACS) Datasheet for Partners - PDF
• A Developer’s Guide to the .NET Access Control Service
• CLAIMS-BASED IDENTITY FOR WINDOWS
• Microsoft Windows Identity Foundation (WIF) Whitepaper for Developers
• Single Sign-On from Active Directory to a Windows Azure Application Whitepaper

Related Technology

• Azure AppFabric ACS
  • Access Control Service Samples and Documentation
• Windows Phone 7
  • Windows Phone 7 and RESTful Services: Delegated Access Using Azure AppFabric Access Control Service (ACS) And OAuth
• Sharepoint
  • Does SharePoint support SAML 2.0?
  • SharePoint Claims-Based Identity - How To's
• Windows AppFabric
  • Using WIF with Workflow Services
• BPOS
  • Microsoft Federation Gateway
• Windows Live ID
  • Introduction to Windows Live ID
• ADFS
  • Active Directory Federation Services (AD FS) 2.0
  • AD FS 2.0 Federation with a WIF Application Step-by-Step Guide
  • Single Sign-On from Active Directory to a Windows Azure Application Whitepaper
• WCF
  • WIF and WCF: Built-in Bindings Overview
  • WIF, ADFS 2 and WCF–Part 2: The Service
  • WIF, ADFS 2 and WCF–Part 3: ADFS Setup
  • WIF, ADFS 2 and WCF–Part 4: Service Client (using Service Metadata)
  • WIF, ADFS 2 and WCF–Part 4: Service Client (more Flexibility with WSTrustChannelFactory)
• ASP.NET
  • How To: Windows Identity Foundation (WIF) By Example Part I – How To Get Started
  • How To: Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
  • How To: Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
• OWA
  • Access OWA with ADFS

Industry

• OAuth WRAP WG
• OAuth 2.0
• OpenID

Additional Q&A

• What's the difference between ACS and ADFS? - ACS offers federation in the cloud while ADFS offers federation on-premise.
• What protocols supported by WIF?
• What's Identity Delegation Scenario?
• What's the difference between passive and active requestor profile?
• What're the steps to Configuring SharePoint 2010 and ADFS v2 End to End
• What are the steps to Migrating from Windows Classic Auth to Windows Claims Auth in SharePoint 2010 Part 2
• I need to turn off requestValidation in web.config. Is not it a security vulnerability? What's the solution?
• How to access WIF protected WCF Service from Silverlight? Also see complete example in Identity Developer Training Kit .
• What changes made to web.config after converting my web site to claims aware?
• How to avoid passive redirect in my ASP.NET web application protected with WIF?
• Why User.Identity.Name always null?