You are on page 1of 35

c c

c
c
c

c  c
c  c c c
c   c  cc  c
Access control in the cloud

c
c
 cc  c

!""#c
c

All information and code samples are based on the November 2009 CTP release.c
c c  ! c"#c c c$%c c  cc
c

Ô c

Abstract .................................................................................................................................................. 4c
An Overview of Windows Azure platform AppFabric Access Control ...................................................... 4c
&cc'c# c c  c(cc)c
'  c  cc*c
c+ c# ,c&- c.#c 
c c  cc/c
Introduction to Claims-based Identity..................................................................................................... 7c
 01 c'  ccc2c
'  cc2c
cc2c
# ccc2c
' #c#  c3c'  cc4c
# ccc56ccc
7c c576ccc
8c c  cc9c
  cc9c
 c&1cc5&6cc99c
&1c7 #c# . c c5&76cc99c
c' # cc9c
'  c: c c# c7 cc9c
: cc  0
c'  1 cc9)c
Understanding Windows Azure platform AppFabric Access Control ..................................................... 15c
" c  c- c c  cc9*c
 c  cc ,c c# c c 7 c cc9*c
 c %;%c c 
#c cc9/c
 c c c<cc%  c
ccc$ cc9/c
 cc' #cc92c
 ccccc9c
 cc ccc
 cc7#cc9c
 cc ,cc c  cc

cc 
c   cc c c c
c cccc ccccc   c
=c c  ! c"#c c c$%c c  cc
c

#cc  >cc=c


8-c c  c cc7?# cc=c
 cc ,cc 7 ccc*c
@ cc ccc/c
<c7cc4c
'  c c' # c- c ccc
%Acc&c
cc&cc=c
%AccBcc
cc&cc=c
 c- c cc=c
cc c Cc  > Ccc#cc=c
c$ cc  c   c==c
c+# c
c  Cc
 cc==c
Úummary............................................................................................................................................... 34c
Additional Resources ............................................................................................................................ 34c
About the Author .................................................................................................................................. 34c
Acknowledgements............................................................................................................................... 35c
c

cc 
c   cc c c c
c cccc ccccc   c
)c c  ! c"#c c c$%c c  cc
c

 c

c c 
c  c -   c  c c -c   c -c c # c c  01 c   c c c c
 c  c
 #c
c c&- c.#c 
 :1 c  c c 0Cc
 c
  Cccc1 c c cc7%c&1c  cc c Cc- c #  c
c&0Dc
c c cc
c-1c   ccc c
# #c

Note: The Service Bus and Access Control services that were once collectively known as the .NET Services
now run directly within Windows Azure. Windows Azure now provides secure connectivity natively via
Service Bus and Access Control, in much the same way that it also provides compute and storage as a
cloud service. To reflect this change, these capabilities are now branded Windows Azure platform
AppFabric, and you will see these changes take effect as we transition from a CTP to a business.

c 
 c c
 cc c 
cÔ  c

c c +# c c  c  c c c 1c  0 c
 # c 
c c &- c
.#Ec 
c  c
 # c c   c - c c 1#c 1 c c 
 # #c
#  c
c #01 c c #0-c    c F# c c #c c c c $%c :-c
c
c 1#c 1 c -c  c 0  c 
-Cc #c -c c c  c  c  c
1#c 1 c c #c #c    c c +# c  c  c c  c  c 5 6c c c
#   cc c- c# . 9c

 c-   c


#  c 
cc-c c  c 01 c  ccc7%c&1c Cc
c c  c
c#   Cc# . Ccc cc cC  .  c
 cA  c cc c  cc c#Gcc c-c& c  cc Cc c  c
-c -c-c
 cc c c  #cA c  c   ccc c
c- c#ccc c
- c Ccc- c#Gc1c1c ccc c
# #Cc- c c c1c cc

cccccÔ  c c


Hc c  cc cc1cc   c c1c 01 c  cc c cc
c1- 01 c-1c   ccHc&1c  c+# c7%c&1c  Cc-cc?#c
c #Ccc  c
# c #  c
c  c:c  c Cc c c c
  .c c-c c c  cc&c c c
 c Cc c-c #c  c  c  c
 cc7%c&1c cc c?# cc #ccc 
Cc- # c c
?# c
c1 c #c c&':c5&- c'  c:# 6cc& :c5&- c # c
:# 6c'Cc c c c?#c# 1c
cc#cc 
c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
9
c:cc
 cc cc+# Cc c c
 c c cc
c  c  c

cc 
c   cc c c c
c cccc ccccc   c
*c c  ! c"#c c c$%c c  cc
c

& c c
 c C c-c c#   c  c c# cc  cc5 c c c

c# ccc  -6cc1c#   c
c   c c  c# c :cc
5 c  c: c 6c

'c
# #c  Cc c-c  c 0 cc
c1- 01 c-1c   c c-c cHc
&1c  Ccc-c c # c  c
cc c  c
- c #c c:1c
 Cc"c# Cc&- cBc' Ccc  c

'c  Cc c


 c c
c c-c c1 c  c  c
c7%c&1c  Cccc c

# #Cc c-cc c1cc#01 c  c c
-c
cc   c
c Cc
   Ccc  c

cA c  cA  c  c  cc CccA  c c  c-c 01 c  c
 c c #ccA c c


Ôc
c
 c -c?#  c c   cc  cc c -c  c cc c c  ,c
-c  c c # Cc c - c  c c -c c (c  c c
c #   c c # . c c
c cc

 c   c
c   Cc
c&1c  cc1- 01 c   Cc c
c &- c    c    Cc  c c c    c +# c   c c c
c
c  c
 # Ccc  ?#c- c #  c c  cc c # cA  Cc
cc
c#
 1c1cc cI1c
c #   c# .c#  c c c cc
#1I c  c c1c  c # cc # c c###Ccc ! ccc c
c
c c# c cc c  c
c

' ! c c #  c c cc c c- c  cc# c


c   cc  Ccc
c
-c c c -c  c c
c # c    Cc c  c 
c -c c -c c # c c
 #c  c 
c #   c   c -c -c # c  c  c c 1#c   c #  c  c
c Ccc'c 
  c-c-cA  c c c cc c # c  c
c  c

c  c# c
c  - c cc c- c  c  c& c cc  c1#c
c# c #  c
c#   cc# . Cc ! c
c

# c c  c 0 cc


 c Ccc c
 c  c c # c c

c#1c 
c #  c c  c 1 c c-ccc& c cc  c   c
c  c  Cc cc1cc

# c c #  c cCc-c c-c  c#c c


 c c c #  cccc
c  c   cc  Cc#c7%c&1c  c  c# c
 c-cc1c c c#  ccc

 c # c Cc c


c 
c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

 c cc1# ccc# c c#c   c
 c5 #c c  - 6c c ccc1c c
cc  c ?# c c1c
cc  c c- c-c c# cccc# ccc# cc
c  c c c c ! c-1  Ccc1# c ccc c  c ! c-1  c&c c# cJ c
KCcc  -c c #c1c c Ccc- cc c
 c c# c c# c cc-c

cc 
c   cc c c c
c cccc ccccc   c
/c c  ! c"#c c c$%c c  cc
c

cc 
c
 cc cÔ  c
c  c # c  c c# c c1cc -cc c cc c1 cc =c
c  01 c   c c - c c c
 # c 
c #   c c # . c c 1c

 c# c
c#c#ccc c1c .c cA c  c  cc- cc
 c1c #1I c cA  cc # cc   c c1
c ccc

 c  c cc#01 c c  c cA c  ' c
c- c#c-c# c# c
# ccc 1 Cc#cc c c  c c#   cc#c
c c# . c

c#c#  c& cc cc1 cc#c Cc#cc# .c c c1 c   c c
 c -c  c  c  c %   c  c c c  :c c c -c #  c c #   c # c
c c  cc  c c cc 1 cc c  c5  ccc
c  -6c- c cc c#   c c- c  c cCcc c
# #c #  c-c
1c c
ccA c  c   c #c  c:1c  Cc"c# Cc&- c
Bc' Cc c-c c c   c  c  c

 c1 c  c& cc Cc  cc1 cc#c7%c&1ccc Ccc c c
  Cc #Gc 1c 1c c # .c  c c c c c #  c - # c c c c #c
0 cc1 c

&c #c c #  c  Cc c # c # c 1 c c # c c


c  c c c c c c #c
c c c cc ccc cc c
c c#c c- cc  c
c c1# c
c # G c   c   c  c  #c c c # c c # c
 c  c  c c c  ,c  c 1c
#   c- c c cc1c   cc # c c
c c # c #c5 :c
c
A 6c  c  c #   c  c # c 
Cc 1c c c c # c   c c c c #c
Cc #c#cc c c c5cc  c 6Cc#cc # c c cc c c
c1c  c c# G c?# c5 :#c96c

Figure 1: User Presents Claims

c  cCc c 0c c c cCcc#c c cno longer responsiblec
,c

Õc #   c#  c


Õc  c# c# cc  - c
Õc c c   c  c cc# c# c  c  c
Õc '  c- c  c   c
c c 
 cc  c
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
=
c'c cBc-c5# c  c# cB#6Cc c csecurity assertionc c# c c
cclaimCc1# c
 c  c c c c cc

cc 
c   cc c c c
c cccc ccccc   c
2c c  ! c"#c c c$%c c  cc
c

Õc  c
c#   c5c
 6c- c c # c c

 cc- c# c cc  0 c  c1 cc c1# c c# cc
1c c # c  #c c  c  c #c 1c  c
c  c c  . c - c c # ! c

 cCc c# .c c# c c 0#c
 # cc # cc#c c

 
c cÔ
 c
c

 c  c 
c c  c  # c c c c  c c  c c  c #Cc  c c
 Cc# c  c  c  #c

Ô
 c
c
  c
c c c  c c # c c  1c  01 c   Cc  c  c    c c

c  c  c1
cc c c  c
c c


c
c-c J  Kc cc#c c cc
c  c  c c# c c c 1c c 1c
c  c# c#   Cc# . Ccc cc+# c
c c #   c
c 1c Cc c
c  c-c1c# c c
c cc  c
c cc1cc # c #c1# c c# c

Ô
c
L#cc c
ccc cc1 c
c  c
 C #c cCcc CcCc1  c
c c  cCcc cccc c#c c Cc cc#!c-c1# c c# c
-c  c c c ?# c c -c JKc  c # Cc  c c c c  c J 1# KCc
c# cc c   c c-cc c c cc- c cc cMcc
 cc#c c c cc# c# c 1#  ccc c' Cc c# c c c
c#c Ccc#cAc c- cc c #c
c#1 c  cc c1ccissuerCc
c#c # cc  c
c cc c#c c#c # c  c #c c
c ccc c
c
 c  c c
c c  #c  c #c # c & c  c  c 
 c  c  c c c # c c
  c ?#c c 8 c  c #   c c 58 6c c
c  # c c
8 c c
#ccc-c c
c 
 Cc#c 
c$%c


c c
c # c  c c  c 
c  c c #c c 1c c - c  c c c ?# c 'c c 7%c
&1c Cc  c cccc c# . cc
c c856c?# c7 c
c
-c cCc c# c -c1c .Ccc  c cc1c # c  ccsecurity
tokenc cc .c  c
c c  c c c1c c #c#  cc  #c c   cMc c
 c#c #c  c c# c! cI# c
1 cc  c
c cc c c c#c

cc1I c c c cN  #Ncc1# c c#  cc ccc8 c cN Nc c
c  c   c c c c  c   c c c c c  c c - c c

cc 
c   cc c c c
c cccc ccccc   c
4c c  ! c"#c c c$%c c  cc
c

 c  c cc c c8 ccc  Cc c  c c c


c cc
cc cc c c
 cG c c-c- cc  #c cc
c- cc
cCc cc c#c# c c   c
c  c cc cc:cc Cc
c c c #c c c c I# c c  c  Cc G c c -c
c c c c c c c c
 c  cc c- c c1c cc c1c c c 
c c c  c#c ccc

 #ccN # Nc- c 0 #c  Cc#c-#cc- c c# c c c
cc
c -c

 c  Cc1# c


cc c   cc
c  c  Cc#c
# c c G c c
c c c c c c  c c c c c c Cc-c-#c
 c c - # c -c  c c c  c c
c  c  c c c c   c c


 Cc  c c 
c c 
c #Gc  c 
#c c c c c  c -c B c c  c
 c-c-cc
#c Cc#Gc1cc
c  c c  c#cG c
 c


c 
c
c
c
c #c#  c c -cc
 # cc
 cc c1# c c  c c # c # c  c
c c
 # c cc  c  c-c c c #c c c1 cc c# ! c  Cc
c #c c-c c?# c  Ccc  1c c A #c  #c c c
cc c
 c
cc c
c
c c cpolicy)c

ccc #c#   Cc#c&- cBc' Cc :Cc: c


cc'  c5c
# c  cA   c# c   c
c cFc-6Cc:1c  Cccc

c #   Cc #c  c &- c Bc ' Cc -c -c c #   c c # c  c c I1c  c c
 c c c
c c# cc #cc c- cc 
c
c c# G c# ccc
 1c  c   c  1#  c  c   c 
c #   c c c identity providersc 5   c
 c c'6c' ! c#  c c  1 c c -c c?# CcJ-cc#(Kcc #c
 c c # c - c  c c c  -Cc  c c   c 
c  c Cc - c c '$c Cc  c c
 c  c Cc c c c c c - c c #   c c # Cc c 1c -c c
  c c cc  cc
Cc  ! cc cc 1c
c#c c

 c c cc #c#  Cc1# c  c c c c c cc
cc  c c5 #c#c
cc cc  c
c    c #   ccc  c   Cc c -c 6cc cI1c
c
 c c cprovide a set of claims that are immediately useful to your servicec c c 
c c
 c  c c
c c c   c c c  :Cc &- c Bc ' Cc :1c  c  c
 c  ccc c#c Cc-c c#c# cCcc Cc Ccc c
c+ccc c c1c  c
c#c Cc#cc c cc1 c
c  cc#c
c  c  c  c  c  c c c #c -c  c c c c  c c c c
 c
c-c  c  c' c#Gc  c
#c c   cc c c  c-c
  c  c#c- c c c # cc#c1
c

c1c  c
c c c c  c 
c
c
#c   c #c c Cc  c  Cc
c# c
c c #c cA   cc7%c 
c
c
#c  c   cc  c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
)
c$ c c1c
# c- c&0c

cc 
c   cc c c c
c cccc ccccc   c
c c  ! c"#c c c$%c c  cc
c

 <c # c c 0c  c 1# c c  c 


c  c 7%c  
c c A*Cc -c  c
     c&:c cc c c+- c c1cc ACccc
&11- c 
c c c c
cc
# #c c
c c c  c


c c
c !c
c # c c c56c cc c c
c c&1c 
ccc #c#  c  c- c
 c c?# cccc # c cc c  1c   c  cc # cc
c
-c  c c c c
c c&0# c Ccc c
c# cc c  #c c

c cc #c#  c

L#Gc c c c c # c c c    c c 5:#c 6c  c   c c 7Bc c # c c
?# c c c
c c  #c  c  #c A   c -c c  
 ,c c  c  c # c # c c
1 cc c c c#c Cccc

 cc  c c c  c #c cAc


# c c  c c - c -c c  c #c c   c c c c 7%c  
c ' c  c
  c c  c  c   
c #  c  ,c c c c c  c  c 7%c  
Cc #c
# c1 cc c
c  cc

Figure 2: Ú Ú Endpoints for AC

c%  c  c c c7Bc#c c# c c1 cc c


c#c c
 c%  c  c  c c 7Bc  c Ac #  c c  c c  c 7%c
 
c 
c  c  c  c 
c #c - c c c  c   c
 Cc c
c# cc c #c c %;%c
 cc%  c  c  c c 7Bc  c Ac #  c c ?# c c c c # c c
 c 7%c  
c 
c  c L#c c # c  c 
c #c c c
# c c c%  c c c1c
ccIc-c  1Cc  c  c-c# c c cissuerc c
c c cc c #c
#   Cc #c   c  c #c  c &- c Bc ' c c :1c  c +# c G c 1c

# c
c#cc c  #c  c#  c c cSTS 1c


cc !c
&c #c 1#c c c  c  c c  Cc c #c c 1#c c relying partyc c
 c  c #c c c c claims aware applicationCc c claims-based application c

 c  c#c c 1# c #!c
c  c c c   #Cc 1# c c   c #c 1#c  c
 c c cc   Cc  c  c-cc  c
c c#c c cI# c  ,c c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
*
c c  c
c c  c c

cc 
c   cc c c c
c cccc ccccc   c
9c c  ! c"#c c c$%c c  cc
c

- ccÔ  c


$-c c c c
Cc! cccc-c
c-cc 01 c  c- cc
 c
 c # c c c   c,cc Ccc #c5 6Cccc c

Figure 3: Requesting and Úending Claims

:#c= - cc  c  c- c cc c  cc8cHc c c  c# c c
 ,c c# G cCc  -Ccc c1 c7'c
c c c  c c  c- c c c c
 c c c
cc# c c c
c c# Ccc
c Cc  c c  -c'
cc c-Cc c
c# cc  c
c# c  c c c # c c# G ccc c1 c7'c
c c-1c c  c c
  c c cc# # c
c  c# c cc  c
c c  c c1# c cc Cc  Ccc
 c1c c c c

c  c c  c c ?# c c c &1c Cc #c c c c c 8c # . c
cc&1c c c
c  cCc
 c c Cc  c c  #CccA  c c
 c  c c #c' c#  c  c c c c c# G cCc Ccc- c c c
#Gc
#cc#c c#c  c

c
c ccc 01 c  cc1cc c c #c
c c #Ccc cc # c
c c c  c 
c - c 
c c  c c c   c  c
c c
 Cc c   c
 c
c c   c# c c?# c  c  cc c c c  c'Cc  c c- c
 c c c# 
#c0cc c c c c c #  cc1cc
c  c  Cc#c c
-c1
 c
c1c c c c- # cc c-c c  c
cc
c  c  Cc
c-c1# c c c  c c c

c
 c c- c# c  c# cB#c5B6cBc 
cc;Bc
 c
c
 c 5Bc  6c  c -c  c   c
c 
c &1c  Oc c c c # c
B  Cc   c 
c c  c  
c  c Bc 5
c c Bc  c # 6&0
: cc c&0Dc 
  c c
cc  c
c   c
c&1c Oc c c
Cc1# cc c  c c c
 c cBCc #c  c Cc c c c cc

 cc# c c

cc 
c   cc c c c
c cccc ccccc   c
99c c  ! c"#c c c$%c c  cc
c


c  c c  !c
&cBcc&0Dcc   c c c1c # c- cHCc7%c c
ccc c
 # C  # c  c c c
 c c  c &1c c 5&6 c I c 1c
 
Cc"CccLc&c c5 #cswat6 cc#cc ?#c ccc
7BCcc ?# c c c c  c1cc7%c&1c c:-c ccA c
c c c

cc  c& cc c c7B0c c#ccc cc ,c


 P< 3P Q
13 P 

C  3 #P ,OO


  -
-  O&743#P ,OO
1O 3%A  HP9*/2/29238 8*/P
7/7"1**%: B'#+.=F=1" 9.*4Pc

  c  c ccG3Gc c  c G cc  c


cO#c  ,c


 c < c
c  Q
1c
 c 

C  c
' #c  ,OO
  --  O&74c
#c  ,OO
1O c
%A  Hc 9*/2/292c
8 8*/c 7/7"1**%: B'#+.=F=1" 9.*4Pc
c
 c c  cc c  c1c# c  c# cc cc c
#c  cc- c
#ccc
 0 #c Cccc# c cc c c
c c c c cCc#cc c
cc
c  c c c c  c c 1c c # c
c c  #c c #c Cc c  c  c
  ccc' #c c-c c c c
cc #c7'cc  cA c 
 c c
 c c  #c
c c c  c c N  Nc c #c   c c -c c  c  c
 c c #c c  c A c  c  ,OO
1O Cc c 1 c 7'c
c c c
%A  Hc c c#1c
c  c c % c /cc  cc1 # c c-c c c
A  c c  c #Cc 8 8*/Cc -c - c  c  c c c c 
c c &c Cc  c c
 #c'
cc
c  c
#c# ccCc#c c #cI c c cc c?# c
#c
c5  c1c #cc)9c# .c 6c

B Cc  c  c #  c-c c# c


c  c  cc # c1c Cc1# c
c-Cc
# cc c
  c
c c&c
 cc-c c   cc c
cc #c cc c1# cc# c

 c c 

c   c !c
c  c  c c#  c c #c  c cc&1c7 #c# . c c&7c cc7%c
 c 5 c c I# c - c &6c  c  c # c c ?# c  c
c  # c #c  c
  c#c cA  Cc  c# 0 c  c c  c c# cc?# cc Cc #cc
Hc c - c #c ?# c c #c  #G c &7c   5 
 c c  c   c   6c
- c c   c  c 
c N  OA0---0
0#Nc 'c c $%c :-Cc c
UploadValues cc cWebClientc c c  cc c  c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
/
c% c c cFc9Cc92c

cc 
c   cc c c c
c cccc ccccc   c
9c c  ! c"#c c c$%c c  cc
c

'
c#c?# c c Cc c  c# cc c5&6c  c#cc c c c c
?# cc  cc -ccc c c

Ô
cc
cA c1c- c - c c&c#cc# c cc  c-Cc   c c c
 c c # c c c  -c c c c  #c c Cc c c c c  G c  c -c  c -c
 c1c# cc -c
c c cc c# ccc c1 c c
 c- cc  c
 c& c c
 c Cc cc  c c  c c-c #  c c :cCc1# cc
# #c
  c c-c c #  &- cBc' Cc:1c  Cc"c# Cccc

&c#c
#c Cc#c c-c # c#c- c c c # cL#c#Cc
cA Cc c
 c c # cc :c #c
c #c1c c c- c c 
 2c c c c
  #c c cc c-#c-c :c c c  c #c1c c  #c :c c

 c  c c # c  c  #c c 

 c   c c c 
c  # Cc - c c  c   c 
c
 ,c c  c- c c1cc c1#  c
c #   c#  Cccc c#c c c
 c c1cc 0 
 cc  c#cc# c c  c01 c c Cc
1 c  . Cc c c c ' c 
 c   1 c
c #   c #  c c - c   c
c#c c

  c
c c ccc1
 c#c c-c#cc # c  cc c1
 c c
  c
 Cc-c c # cc cA c  c


c
c c
cc
&c#c1#c 0-c&1c   cc  Cc#c# c# 
c
ccc# c
c c #c - c c -c  c  c c #  c #c # c  c c #c c   c   c #c c
1# c c# c
c#c cL#c! cc c-c1# c- ccc # cc  c# c
  c c1c  c
c c c cc #c cfederate identity c # c c

 c
- c cc c c c cA c  ccc cc:1c cc c1#  c

c#
 #c1 Ccc #  c
c1c  c#c c-cc c1 c:1c c
c7%c&1c c  c- c  c c1 c
 c1# c:1c1 Ccc #  Cc
c cc

'cc  c50 c1 6c  Cc-cc c5+16c- c c  c c:1! c1 Cc


c   c :1Cc  c c c  Cc c  c :1c 1# c  c   ,c -c
#c1c-c c# c:1! c # c Cc-c #c1c-c cc #  Ccc
cc:1c c # cc# ccc  -c
cc
c  c#  c c+1! c1c  Ccc

# c c-1  c c c  c#  c

 c c
c c cc cI1c
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
2
c c c c
 c  c# c
c :cCc-c  c c c 
 cc c
  c1# cc #c:cc
 cc
 c  Cc c c&0: c c

cc 
c   cc c c c
c cccc ccccc   c
9=c c  ! c"#c c c$%c c  cc
c

Hc Cc +1 c # c 1#  c - c c  c 1c #


 # Cc c - c c -c
  c c
c # cc# c c&1Cc-c ccc
Acc c c' ! c
 c
c+1c c
 c1# cc
c  c  c-c! cc c1 cI# c c c1 cccc
-ccI c cc-c Cc c  c+1c-c c1c  cc c cc:1c5c
c 
c c  c #
 # 6c c  c c -c  c c #c 1c -c c c #  c
! c
 c
-c- cc cI1ccc1 c# c c c cc
c c  - c c c c-c

c c# c   c !c1c# Ccc !c1cc c c:1! c c-1  c# c
+1c c#c cc:1c ccc cc# c

& c  c-c! ccc+1! c c Cccc- Cc


c c c c c
 (c&c c:1c
c# c1# c  (c

'c  c Cc -c  cc 1 c # c   Ccc 4Cc1 -cc c
:1c  c c +1c c  c -c   c c  c  c #c c  c c :1! c
 # Ccc- cc
c cc #cc'  c
   automatesthiscovenantc
c :1c c # +1c c c c # c 1# c  c   Cc  c  c  c c  c +1! c
 c #   c  c   c c #  c c :1c c   c 1# c c
 ! c# ccc c c+1ccc  c1c# c c  c- c :cc c c
  c c5'6Cc
cA c

Hc +1! c   c c   1c


c #   c  c 

Cc :1c cc  c c  #c # c


# c
c+1! c  c&cc c cc # c c+1! c1c  Cc  ccc1c
# c c c :1c -c c  Cc c - c c c  c c +1! c . c '
c c  c c
 Cc+1c 1 cc# c# Ccc c-ccc1c1c c# c+1G c # c   Cc
:1! c # c Cc c c  c c 
  c - c +1! c   c c &c
c  c I1 Cc c +1c I# c c # c 1  c c  c  Cc :1c   c  c
c cA c cc ccc#  c:1! c # c c

'  c
 c1 c c 0c c.  Ccc  c cc
c  Cc'c  Cc
#  Ccc  cc

'  c
 c- c1c# cc # cL#c c c # c c c # c- cCc
c  c  #c -c  #c c  #c c 
c c  c  c # c  c +# c -c  c 
c
#   cc#  c Cc#c #c-c1c
#c c c # c  c
c # c c
 c .  c 5c
c  c F01 c  c c #c -c  6Cc c c c
#   c#  cc c-cccc-c  c c  c
c c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
4
c$-c  c c c# c
c  c
 cc1c?#Cc cc  c c  c c
c  c  c c cc  c+# c#  c G c cc  c  c   c c  c
c
+1cc:1cc  c   c

cc 
c   cc c c c
c cccc ccccc   c
9)c c  ! c"#c c c$%c c  cc
c

Figure 4: Bob's bike shop federates with Fabrikam

':#c )Cc c  c  c c c # c c 5+1! c  6Cc -c c # c c  c c  c
5:16c'c  c Cc c c5
cA Cc6c#    c- c+1! c #cc cc # c
c  c cc c c:1c5  c96c c c  c  cc c1c#   c1c
+1! c # c
 # #Ccc# c c  c 
c- c c c  cc+1! c. cc

c c  c  c c c:1! c #Cc-c #  c c Cc c  cc #c
1c-c c c c cc?# Ccc # cc c # c c  c  c c c
 c c # c c A  c 5  c 6c c   c  c c c c c 5  c =6Cc
-c  c cc1  cc
c c  c  c c c1# cCccc 
c-cc c
 c c cc c c c c1 c
c:1! c #c

$ c  c c # c c  c c c c  


c - c  c c # c c
c
+1! c  c:1! c #c#  cc
c  c-,cc c c #c # c  cc
c   c 
c # c  c   c  c c # c  1 c c    c - c
:1'c  cA Cc c c-c- c c  c
c c-c #c'
c c  cc c
c
-c Cc c-cI c c c c c  c  c c  1c

c-c c c
 c(c'c:#c)Cc:1c#c#  c c c #c#  Ccc+1c#c# c
 :c c c #   c  c  c c  #c  c
c c &c #c 1#c  c # c  Cc #c
c c c c c#  c
c c.  c- # cc cc#c cc'
c
#c- c c  .c#c c cc cc c# c c
Cc cc c#cc  c
 c-c


ccÔ  c 

c
%c- cc c Cc
 cc1c# 
#c'
c#cc# c- cc # c'c  Cc

cA Ccc  c#  cFcc 
c$%c  Cc cc c#c  cc1# c c
#  c
 c   Cc #c c c c  c c c c 0c c c 
c  c 1
 Cc
1# c cc # c  cA c
c 
c  c c-c c
cFc

cc 
c   cc c c c
c cccc ccccc   c
9*c c  ! c"#c c c$%c c  cc
c

&c c  c c1c c# c 


c$%Cc c#cc1c- c# cFcc c
 c c  c c  c c   c c
-c c  c
c
 c   Cc  Cc
 # Ccc  cc1c1# c# c c

 c  cc 


 cHc#c c
 c 1# c c c c  Cc #c #c - c c c 

 c  #c 
c #c
#c c    c  c #c c
1 Ccc
c  c #c c c1c1# ccc0 
c 
c'c c-c
c
 c
  Cc   1 c  c A c    Cc c c  c c  c  c c  c
#
c  c
c

ë
c
 cc  
cÔ  c

  c c
 # c  c#cc,cc&7c  c  c # c # c  Ccc c
7%c 
c  c- c#c c
#c   c  c  c-c  c  cc # Ccc
c  c c
c c  <c  c - c -c c # c  c   c  c c -c - Cc #c  c
Ac

"
cc
ccÔ  c
'c c c  c  c # c  c  Cc #c -c c c  c c c  c 5 c
 # c - c  c A  c -c  c  c 6cHc #Gc   Cc #!c   c  c
#c-c #c#  cc Cc  c- c c-c&7c  c
c #c  Cc c-c cc
 c  c   c  c #c c # c c 
#c #c c  c c c
 c 1 c  c 
c c 7Bc  c #!c c  Cc c  c # c
c 1c #   c '
c #c c
c  Cc c c  c c  c# c c c c  c c  c#Gc1c1c c
 1# c # c c
cc c

cÔ  c
c
c
ccc
 cc
c 1 c -c c # c  c  c c c  c -c  c  c  c c - #c 
c c 
c c
  c c - c c  <Cc c c  c 7 c  c  c #  c  c c #c c  c
$%c7%c&1c c  c  c c # cc # c c# # c&c  c ccc  c
A Cc c - -c cc  cc  c- c c c# cc  c # c5-c
#c c
c c c  <c   c  c #c   R"   6c # c -c I c
Hc  c c $%c 7%c &1c c  c   c c c  Cc c c  c  c c  c
  c  c  c c c 'c c c # c c  Cc #c -c c c 
#c  c c c
c Cc-cc cA c1-c ccN0 0 Nc

 c  c  c
c  Cc  c A c #  c c  c 

 c c  c


c c  c
 # cc  c- #c0c c
c  c- Cc   <c  c c- cc  # c  c  c#  c c
cc
cc # CcN   Nc cc c#c#c c#c  # c  c c  c# c Cc
#c #c 1c 1c c #c c  c # 
c - # c c 

# +# c  c

cc 
c   cc c c c
c cccc ccccc   c
9/c c  ! c"#c c c$%c c  cc
c

A   # c   c  c  c 


Cc c  c #c c 1c c -c c

# c
c#c-c  Cc-c-c# cc  c c

c
 c c cc c c c c-c  c  c c # c c  cA c c # c
c   c  c cc c  c  c- ccc c #c5 6cCc c c-c
 c c c-c #cc#   c c# c  c c c- c# c c  c# cc c  c5c
 c6c1 -c cc c  c c  c  c ccc  -Ccc cc c
c cc c-c
c  cN  -NCc Gc1c c c c c c7 c c
c c c  cc c  c-c c#c c # c  c#c-c#c#c c

ë
cÔ#$%&%c cÔ 
cÔc
c
 c  c c c  c# cc' #c #cc c c c cL#cc# c %;%c cc
 Cc1# c
 c#c# c c c c  ,c

Õc c $cc
c c c c c  c cc  c c c c c
Õc c c 
c c c  c c  c  c c  # c c  c c
  c
Õc c cCc c  c cccc c c c c

Ê
 
cc#c'cc%
c cc
c(c
L#cc1 cc c
c  c# c1cc c c c  c- cc&1c1- cc
 c c c c c5 c:#ccc:#c*6c

Figure 5: Discovering the management key for a service namespace

&c  G c  1c c 


c  c   c c c c # Cc c  c A c
   c?# cc
-c c c c  c  c# Cc c cc c cc c c c
 %;%
c
c Cc c -cc:#c/c

cc 
c   cc c c c
c cccc ccccc   c
92c c  ! c"#c c c$%c c  cc
c

<configuration>
<appSettings>
<addkey="host"value="accesscontrol.windows.net"/>
<addkey="service"value="my-service-namespace"/>
<addkey="mgmtkey"value="UYQkjGhjgWtpSh70T14yBRyfxz6ceakmDS0WvhEL6uE="/>
</appSettings>
</configuration>c
c

Figure 6 : Configuring ACM.EXE

$-c#cc# c %;%c c  c# c c #c c c-c#  c cc Cc-c
 c  #c  c c G c  c 1c # c 1c c  $ c  c  %;%c  c c c - c
#c c 7%c &1c c 5 c  c  c 6c  c  c c 1c c  c  c
 Cc-cc c  c #c c c
cc7%c ,c

Õc " 56c
Õc  c
Õc   c
Õc  c

Ô
ccc
c c c   c 
c  # c  c #c c c c  Cc c -Gc  c - c ' #c :c  c
A Cc#c# c cc' #c- ccc  c#cc# cc c c5 cN  -Nc c
6c c cc c
c c: Cc#cc?#c %;%c c c- c
  c?#c
cc c cc' #c #c5:#c26c

>acm create issuer -?


ACS Tool - Microsoft Access Control Service Tool
Copyright (c) Microsoft Corporation. All Rights Reserved

create issuer -name:<name> -issuername:<issuername> (-key:<key>| -certfile |


-autogeneratekey)[-algorithm:<Symmetric256BitKey|X509>] [-service:<service>]
[-host:<host>] [-mgmtkey:<mgmtkey>][-simpleout]
name: Friendly name of the resource
issuername: The Issuer Name as passed in the token (not display name)
algorithm: Symmetric256BitKey or X509 (default: Symmetric256BitKey)
key: The signing key for ACS issued tokens
certfile: File location of the X509 (.cer) file
autogeneratekey: Autogenerates a signing key
service: Service namespace
host: Host of the management service
mgmtkey: Key used to authenticate with Managment Service
simpleout: Displays only the ID, not the full message, when creating
c

Figure 7: Built-in help in ACM.EXE

cc 
c   cc c c c
c cccc ccccc   c
94c c  ! c"#c c c$%c c  cc
c

L#cc c ccc c1c# c  c  Ac5c@%7+c7%H7 %c0(6Ccc


c#c
 c c
 c
c cc # Cc#cc cc c
c c1c#c %;%c- cc# $ c
c   c
c c  c  #c c -cc :#c 2c c  # c c  c c c
c
c # c1c c ccc' c # c1c Cc c#c# c 
cc
ccc c0
c  c cA c1# c ccc  Cc  c- c c
cc

acm create issuer -name:my-issuer

L#c# c c # cc #Cc-c c c#c


c c' #cc  c c-c#c #c c
# cc-c#c?# cc c# c  c #c:c   Cc  c cc0 #c c-c

acm create issuer -name:my-issuer -issuername:my-issuer

$-c #c # c 


c c Cc c  c  %;%c c  c c c c c #c 1
c $ c  c
 c c  c c 
# c  Cc c #c G c c c 
c c 0 c  c  c
A c c c cccc

acm create issuer -name:my-issuer -issuername:my-issuer -autogeneratekey

L#c c  c c Cc  Cc c  c   c c  c c c 
#c c
 %;%
c&c#c#c  cCc %;%c  ccccc  cc8c
Hc c c  c  c   c  c # c c   c 
c c ?# c  c Hc  c
 c 1c c # . c c - c c 
c c  c  c Cc c c c
 #cc# c
c#c  c c #,c

9c Hc c c cc  c  c c ccc  cc c
c c
c Hc c c c  c  c  c c?# cc- c c c cc596c

' G c  c c c  c


c#c-cc# c#c-c c c c
c# c %;%Cc
#c#c# c c c cc  c9c# c cA  c

 c   c c c c  # c  c #c c -c c c  c  Cc   c c
' #c #c# c ccc c c  c#c 
Ccc # c c' c
c c-c1I c c
 Cc-c  c c# c$ c  ccc
c c
-cA  Cc ccc c c c  c
 c #  c c
c  c 
c c L#c # c c  cc 1 c
c #c #c c c
# 
cc

>acm create issuer


-name:my-issuer
-issuername:my-issuer
-autogeneratekey
Object created successfully (ID:'iss_0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33')c
c

Figure 8: Creating an Issuer resource using ACM.EXE

cc 
c   cc c c c
c cccc ccccc   c
9c c  ! c"#c c c$%c c  cc
c

c %;%cG c  c# c cCc#c# ccccc c1 c cc c c
c
c #,c

>acmgetall issuer
Count: 1
id: iss_0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
name: my-issuer
issuername: my-issuer
key: ueh0xnVLw7y53mEGHNeMmDu6vjz8FqMNiMBFdkc/6JM=
algorithm: Symmetric256BitKeyc
c

 G cc  c c  -ScL#cc  ccc c#c c c  c' #c # cc
 c1 c c c- c cA  c
c # c-cc c?# cc c

Ô
cc c 
c
$-c  c - c- c Gc1c c c # Cc cA c  c c c c -c c# # c  cL#cc
 c1c ccc #c5:#c6Cc-c  c ccCccCccc # cc
 c c-c# c  c # c c # c c%A  Hc c
cc c  c c # c# c  c
c:c  cA Cc-c 
c=/c  c
c c # Cc c  c c-c1c1c cc
c cc# c c
c# c cc#c1
c cc cc1c c c c cc-cc

>acm create tokenpolicy


-name:my-token-policy
-timeout:3600
-autogeneratekey
Object created successfully (ID: tp_25da58a8125344e9905972d89cf4a072')

>acmgetalltokenpolicy
Count: 1
id: tp_25da58a8125344e9905972d89cf4a072
name: my-token-policy
timeout: 3600
key: 6wxMs7Il7jyssRmEKK4X/MluLIVp5XCCYxqC9Yt9lBg=
c

Figure 9: Creating a okenPolicy resource

c # c  c  c c    Sc ' c - c #c c c 

c # c  c 
c   c c
 #c c# c cc  c# c cA Cc c
c#ccc# G c  c1cc   c
c Cc
c  c# cccc cCc cc #c c# c c# c cA  c'
c#c  c c
# c ccc c#Cc c-cc c  c cc
?# c c1 c
 c  Cc1# c
#c  c -c  c c # 0 0 c 
 c 1# c c # c c # c
c c # c  c
 c  c #c  c -c c c 1c 
#c .c  c -Cc # c #c c - c
c c
 c# c
cc -c'cc   c G c  c 1c c  c  c # c c1c c
cc-c c54c# 6Ccc  c# c  c  cG c c  c
?# c: # c#c

cc 
c   cc c c c
c cccc ccccc   c
c c  ! c"#c c c$%c c  cc
c

cc  c  ccc c1c c1  Cc1# c#c-cc# cc  c c
 c
cc c5
c1c #   6c

8-c#c c c  c  c# Cc#c #c1c


#c c #c  cc c  cc#?#c
 cc- c ccc#?#cc #c c  c cc c'c 1c
c5  46c

c #  c  c    c 1# c  c - c #c c  c c --c 


c   # c
c  c
  Cc -c c  c  c c c c c c 5
c A Cc 1c   c c c
 c
cc  c# Ccc1c  cc c  6cc cc c  c
ccc c   c c# c# c c cA  c+  cI# c c # Cc c

 c  c  c   c  c c ?#c 8c
c c ?# c c #c Cc c  c
 #c   c
c  c
cc  c# c

Ô
cc c
 c  cCc c c#c  c -c  c c  c -c c  c
c 1c
#   c +# c - c c c Cc #c  c c 

 c   c 
c  # c  c c 

 c
# . c# cc c#cc c# .c c cc  c
c #cc

c
c c
 c #c c
c  c c  c 7 c  c c  c c  c c  c c c  c
'c cc ccc  c  cN  c# c c-c c c  Nc

&cc c?# cc c


c Cc c# c cc  ccapplies_toCc-c cc7'c  c
  c c #c c c c c c:cc c- c#  c   Cc c c# c1cc

c- c  > Ccc c c7'c c c #cc?# c c-c c# c  c cc
# c c  c  Cc c -c # c c # c
c  c  c c
#c # c c  c
c c  G c
c  c 7 c c  c c  #c 5 c  6Cc c #c c c c  c c c
 c - c c   c   c  c  c c 1 c 7'c 
c c Cc -c  c
 ,OO O "   c
c  cA c

c  c c cc7# c  c  c -c c #c c5cc  c 6cccCc-c


 c c-c c #c c c c  c  c  c c$ c  c#c# c# c c' c5 c c

c6c
c cc #c-c#cc c c c-c  c c#  c  c c
 c c 1c c  c  c Cc c 1c #c c  c c ' c
c c 1I c  c #c  c
# cc cc %;%c'
c#c
 c cc  Cc#cc- c# c c cc c cc c

cc # c
ccc  Ccc c c' c
c cc#c- c

>acm create scope


-name:my-scope
-appliesto:http://localhost/ACSGettingStarted
-tokenpolicyid:tp_25da58a8125344e9905972d89cf4a072
Object created successfully (ID:'scp_3fe16b4df862e0f361249656a62c60738206c3a2')c
c
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

c'#c c
#c7'c# cc?#c cT#c  cc c# c #  c
c  > c1# c
c
c# c
c  c Cc-c'Gcc c

cc 
c   cc c c c
c cccc ccccc   c
9c c  ! c"#c c c$%c c  cc
c

Figure 10: Creating a Úcope

Ô
ccc
L#c c #c # c - c  c  c c
#c - ,c N  c Cc  c # Nc  c  c  Cc  c  c c  c

 cCcc c- c1 cc# c7# c 1c cc
c- c 
 c # c
 c  c # # c  c :c c  c 7 c Cc c # c c c  c '
#c -c c
 -Cc#cc# c c cc-c?# cccc c1c c c cN  -Nc

c c #c  c'c cc #c1c1c c cc c c# c c c

B G c   c  c ccc c#c+ c- c#c# c c CcN'


c#cc c#c-c cc

c0 #Cc'Gc c#c  c c# c c c Nc'c Cc# cc
cc  c
c
 # c cc# # c cc-c  cc c  CcN'
cc # cc c
#c
c  c' #c- c
c#c
cG0 #GCc #cc# # cc
c  cG Gc- cc#c
cG GNc c-c # c
 c c #cc c- cc cc  c c 7 c cc Cc #c c c
?# c c c c # c c  -c
c 0 #$ c  c  7  cc c c
c
ccc
c  cN Nc- cc#c
cN Nc

7# cc c c- c7# c # Ccccc


# #c c
c c#cc1c1c c
cc7# c c#  c   c+# cc  c c Ccc  c cA cc7# Cc
c %;%c c c c
#c c c# cc c
# c7# c
c c  c

>acm create rule


-name:my-rule
-scopeid:scp_3fe16b4df862e0f361249656a62c60738206c3a2
-inputclaimissuerid:iss_0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
-inputclaimtype:Issuer
-inputclaimvalue:my-issuer
-outputclaimtype:action
-outputclaimvalue:reverse
Object created successfully (ID:rul_d50d977a296c89d651d5687bcfcd9686156552f...)c
c

Figure 11: Creating a Rule

$ c  c c # cc  c c  c cN' #Ncc  c#c' #c cc cc  c  c c- c
1# c  c 
Cc c#  c  cc#c- cc  c
c  cN' #Nc-c  c
#c 
c c  c  c  c -c 
c c  #c c  c 5 c c  c  c A 6Cc c
#  ccc c
c c #c- cc  c c #c #c
c cc#c
#9c

c c  c c c  c  c-c c c cc #c cc''c  c  c c c c c
 c Cc c  c  c - c c  # c  c  c  c c 
c  c
c #c 5  c # c  c c
 cc #c 6Cc c#c #c# c  c c#c c  c cA c c  c- c
 cc c
c  c  c
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
9
c c-c# c cc#Gc
#c
c  c #c c c c G c  #cc  c c

cc 
c   cc c c c
c cccc ccccc   c
c c  ! c"#c c c$%c c  cc
c

Ô#c
c
cc
cÔ
c
$-c    c  c# c c  c cc #c  c
c c 7 c Cc G c c cAc c
 cc c c- c c?# c c?# cc c
c c"c  c  c  c#  cc c #c
c  c  c c # c c c  -Cc  c  c  c c  c c  c c # c  c c c
 -c c - c c 7'c 
c c c 5  > 6c c A  c c c c c c  #c  c
#  c  c  c  Cc c  G c #  c  c c c # c c  $ &1   c
5:#c96c

privatestaticstring GetTokenFromACS(string issuerKeySuppliedByCaller)


{
// request a token from ACS
WebClient client = newWebClient();
client.BaseAddress = string.Format("https://{0}.{1}",
serviceNamespace, acsHostName);

NameValueCollection values = newNameValueCollection();


values.Add("wrap_name", "my-issuer");
values.Add("wrap_password", issuerKeySuppliedByCaller);
values.Add("applies_to", "http://localhost/ACSGettingStarted");

byte[] responseBytes = client.UploadValues("WRAPv0.8", "POST", values);

string response = Encoding.UTF8.GetString(responseBytes);

return response
.Split('&')
.Single(value => value.StartsWith("wrap_token=",
StringComparison.OrdinalIgnoreCase))
.Split('=')[1];
}
c c

Figure 12: Requesting a oken from AC

: Cc c-c cc #  c c $cc


c c c&7c  c
c -c  ,c c c
c 
c  c c c c  c c  c  c c  c   --  c c c
 c# c-c#c  c  c- c0 0 Cc c c
#c&7c  c
c c
1 ,c

https://my-service-namespace.accesscontrol.windows.net/WRAPv0.8

&1   @# c  c c Hc c  c   Cc  c c   ,c - >Cc
- >  -Ccc  > cccc  -c
c c c #cc  c# cc Ccc c
 cc5-c %;%c c#  6c$ c-c c1 c7'c
c c c c  c
c c   > c  Cc c  c  c c
c c  c  c c A c  c # c c A# c c
 c  c
c# c

cc 
c   cc c c c
c cccc ccccc   c
=c c  ! c"#c c c$%c c  cc
c


cc
) c
' c c c  c
c c  c c N Nc c # c # c c  c 7'c
c   > c
71c  cc c- c#  c   ccc#  c  c
c# Ccc c  c c
c c- c  c c cc   ccc  c
c #c;Cc c- c cccc
c
 cc c
c;c51c  c  > c cc7'c  c-c c c  c
c;6c c c
 c - cc?# ccc #c
c  cL(c

7c  cc c&1cc cc1 cccc c


c c #c c c c$ c  c
 c
 cc c#c  c5-c c c c cccccc 6c1c c c
A c #c  c c  c # c
c   > c c c c ?# c # Cc c c c c c
A c7'c
c-c c c?# cc Ccc c#Gc c-c-cc c c 7 c
Cc  c cc
c c  c  c c c c
cc c" cc c- ccc
#c  c-#c1c c c
ccc cc#c'1Ac  c- c c c
c  c  c - c #c  G c  c c  #c 1c ?# c #c 1c
 c

- cÔc cc c*c


&c c c  c?# Cc c 
 c c
-c  ,c

9c : c c  #c  #c c c c  c - c  #c   c   c c
#c # cc- >c
c @
 c  c c #c # c c - >  -c   c c #c 
c c  #G c c
  99c
=c : c c 1 c  9c  c c c c  c 1 c c c 7'c # c c
  > c
)c 7# c c7# cc c c  c- cc c' #cc- c#c c c
c c
 #c #G c #c   c
*c  c c # c c cc c&1ccc  c c c- c ccc c
ccc c c  c
/c 7Bc c c cc  c c1c c c c

$ c  c
cc
c  c  c
c5
cA Cc c #cc  c c1c
#Ccc c #cc
 G c 6c I c c?# c'
c #
#cc c 7 cA Cc c  c-cc
 cc  c5 c&cc c  c c11 cc cUH<%$V6,c

wrap_token=[TOKEN]&wrap_token_expires_in=3600

c c c
ccc:#c9c -c-c c  c c # c
c  c  c< ccc  c
c c c c7Bcc c  c  Ccc-cc c1cc1
c1c  c c c c

%Ac c c #cc  c c c  ,c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
99
cc cc c c c # 0c   Cc-c c # ccc c  cc<c7c
9
c c c1 ccc 0 
Ac cc c1c  c c cA c cc c  c

cc 
c   cc c c c
c cccc ccccc   c
)c c  ! c"#c c c$%c c  cc
c

 c  c
' #c  ,OO0 0   --  O&74c
#c  ,OO O "   c
%A  Hc 9*/2/292c
8 8*/c 7/7"1**%: B'#+.=F=1" 9.*4Pc

c  c  c
c c c  c c  c c  c  c - Cc 1c c c  c c c -c  c
 c cc c%A  Hc c c  c'c  c  cA Cc c c cA c c c
 c  G c c c  c ?# Cc c G c c   # c
c Cc 1# c  c  c c  c 
c
 . c  c#c #c ccc-c1#c#c-c0#c c'
c#c- c c

c  c  c
cCc#c #cc c c c  c Cc c -cc

c
c cc c
# #c c c c c# c c  cc cc  ccc c c c
-c c   c # c - > >A  >c  c  c  c c  c  A c
#1c
c  cc c
# #c  c c c-cA Cc  c  c cc c

& c c c c Cc c  c  c -c c c c c c ' c  c  c 7Bc c
c cc
c cc c cc c# . ccc- c c?# c c c c
# c c&74c# . c c c  c#  c8c cc c Cc-c c  c
c-ccc c-cc A Cc-c c cc 1c c c cc cc c+# c#c
# c# c8c
c#c- c c  cc  c
ccc c  c ccc
#1c c' G c  c c c  c c?# c8c
cc?# c cc
c c  c
 c cc- c  c
cc c  c?# cc cc cc
c # c

privatestaticstring SendMessageToService(string token, string valueToReverse)


{
WebClient client = newWebClient();
client.BaseAddress = "http://localhost/ACSGettingStarted/Default.aspx";

string headerValue = "WRAPv0.8" + " " + HttpUtility.UrlDecode(token);

client.Headers.Add("Authorization", headerValue);

NameValueCollection values = newNameValueCollection();


values = newNameValueCollection();
values.Add("string_to_reverse", valueToReverse);

byte[] serviceResponseBytes = client.UploadValues(string.Empty, values);

returnEncoding.UTF8.GetString(serviceResponseBytes);
}c
c

Figure 13: Úending the Request and oken to the Úervice

c  c I c 
c  c c  c c  c 8c Hc 
c c &1c
c c c  7 c c
G cc c#c
c  ccA c
c c# . cCc-c c  c c#c c
c  c
c c c$ c cc c c0c  c c c1# c c c c #c

cc 
c   cc c c c
c cccc ccccc   c
*c c  ! c"#c c c$%c c  cc
c

cc7B0c
 cc# c1cc1
c1c  c c c cc c# . c
c

L#cc cc c  Cc1# c c cG cc c 


cc c  c  cc
 c  cA c c c c   c-c c?# cc c
c Ccc- c-c
cc  c
 c  cc cc c c  c   c #c c8 8*/c

Ôc
c
cc
 c
c
$A c-c-cAc- c c  c c #cc c# c c&cc?# c c c
 c  c
c
c c  c c c
c c # . c c $c Cc c Sc 
c #c # c c
# . cc5:#c9)6Cc c c  c

c c cN&74cNc 
Acc  c c
c

cc 
c   cc c c c
c cccc ccccc   c
/c c  ! c"#c c c$%c c  cc
c

protectedvoid Page_Load(object sender, EventArgs e)


{
// get the authorization header
string headerValue = Request.Headers.Get("Authorization");

// check that a value is there


if (string.IsNullOrEmpty(headerValue))
{
this.ReturnUnauthorized();
return;
}

// check that it starts with 'WRAPv0.8'


if (!headerValue.StartsWith("WRAPv0.8 ", StringComparison.OrdinalIgnoreCase))
{
this.ReturnUnauthorized();
return;
}

// check there is a ' ' between 'WRAPv0.8' and the token


// no other spaces allowed
string[] tokenValues = headerValue.Split(' ');
if (tokenValues.Length != 2)
{
this.ReturnUnauthorized();
return;
}

// the token is always the 2nd value


string token = tokenValues[1];

// create a token validator


TokenValidator validator = newTokenValidator(
this.acsHostName,
this.serviceNamespace,
this.trustedAudience,
this.trustedTokenPolicyKey);

// validate the token


if (!validator.Validate(token))
{
this.ReturnUnauthorized();
return;
}

// ...
c

Figure 14: Extracting a oken from the Authorization Header

Î

ccÔc c
'c c  7 c A Cc c  c  c c @ c  c # c c  c c c  c
 c c c
c$%c  Cc #c cc c
c c c?# c c c- c# 
c
c

cc 
c   cc c c c
c cccc ccccc   c
2c c  ! c"#c c c$%c c  cc
c

#c c # c c  c 


c 1  c $%c c 1#c #c c c @ c  c 5:#c
9*6 - c c
#c    c  c #c # c c c c  0 #c c 1
c  c  c  c
c  c   c 
c  c  c   Cc ' 8 @Cc  c   c c c  c 
c
c# c c$%c:-cc

publicbool Validate(string token)


{
if (!this.IsHMACValid(token,
Convert.FromBase64String(this.trustedSigningKey)))
returnfalse;

if (this.IsExpired(token))
returnfalse;

if (!this.IsIssuerTrusted(token))
returnfalse;

if (!this.IsAudienceTrusted(token))
returnfalse;

returntrue;
}
c c

Figure 15: Validating a oken Issued by AC

c
 c  c cc  #cCc-c c c c
c  c c  c
c c c-c
 c1c Cc cc c  c c c c c  #cc c c # c  c c  c

c c c G c 1c  c - c c  c - c  #' 8 @c  c c 8 8*/c
 #c
c c cc c  c c- c c G c c
c c cc# c8 c- c
c 8*/c  c  c  c c - c  c - c  %;%c c - c c c
 #c+c #c#c#  c cc
c  c  c c c cc  c
c#c c cc
cCc - c c-G c-c5 c:#c9/Cc1-6c

cA  cc  c -c #   c: Cc


cc c cc c5  c  ccc
8c  c 1 -c  c c 6Cc  c # c c c --c  c  c c 1c # c
Cc c#  cc cc
c
  c c c cc  cc c c
A  c Ccc# c #c #c c c c cc-c c- c
 c c

c #cc c c  c c #c  c  c c- c #c1c c


c#c c c
:cc  c   Cc c  c c  #ccc c#c
# c
c
 c c c- c cc c1c c

 c # cCc c#cc  cc


c
c c c1c
c c#c

c-c c  c
c c# G c c?# c5c c  > c  6c c cc c
c c c # c  c c c#ccc- c #c- c# c c
c c #c c
 c c #c c'c c 7 Cc cc  c # c  c c#c
c#c
  c c  c#cc c  c
c  c ,c ,OO O "   c

cc 
c   cc c c c
c cccc ccccc   c
4c c  ! c"#c c c$%c c  cc
c

Hc c c c Cc c c


c cc c c0c c  c  c c cc # c c c
c c'
c c
 Cc c c c$Hc 
c c  Cc1# c c c Cc
 #cc)9c# .c8c  # cc

publicpartialclass_Default : System.Web.UI.Page
{
string serviceNamespace = "replaceWithYourServiceNamespace";
string trustedTokenPolicyKey = "replaceWithYourTokenPolicyKey";
// ...
c

Figure 16: Úettings You'll Need to Update in the ÚtringReverser Úervice

'c  c
&
c 

c c Cc N'


c #Gc c c c  c  c #c G c c Cc c #c
#c c
c  c cc#1 NcL#c #cc cheavy keysc0c  c c  c
c

# c ccc c c cc# c#c Ccc # c c#  c  c
 c  # cc
c c  c # c ccc#c&(cc1# c c
 c  cc  c
c#c  c 1c c c c  c Ccc-c#cc # cc
Cc#cc c # cc c#c
cc?# cc- c-c- cc
c#c ccc #1c
c c c c  c   c  cc#c  c c#ccc #c# c  c c
ccc c# Cc c-c c1 71c- cc c
cc1c#c-c cc c
 c c  c #c c  - c  c 8c c  c  c -c  c  c c c  c c
c c - Cc c c I# c c c -#Cc c c c c #c 'c c  01 c -Cc
#c c c  c 1c c  c c #c Cc c # c 1c 
#c #c   c
#c 9=Cc#  c c#Ccc
#c c-c c c c#c c c Sc

c c c cc # c1# c  Cc c c #  cc


 #cckey rolloverc-c c
 ccc c c  Cc c- c
c -c  c
c  c,c# 0Ccc # 0c
'
c c
 c- c# 0Cc c c c- c # 0c% ccc1c# c
c c
&c #c #  c c  c Cc c c c
c c  #c  #C# 0c  c
 c  c c
# 0c1
c# 0c c- c- c c-cc c # c  cA c c-c
 #c c
# c c -c#Gc c c  c  c c c  c c #  c c Cc
1# c
c#Gc#c#  c#c Ccc -c c-cc1cc ccc c

L#cc c  cc c c  c5:#c926Cc-c - c c# c ccc


c # ccc
c#c c c# 0Cc#cc c-c G c
 c c c # 0
c1
c1c- c

ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
9=
c'
c #Gc # c $%c c 1#c #c Cc  c c #c c c c  c  c 
c #c
-1
c
cccCc c  c8H&Hc
c c  c3c  c# c

cc 
c   cc c c c
c cccc ccccc   c
c c  ! c"#c c c$%c c  cc
c

Figure 17: Key Rollover

 c cc c
 #Cc1# c#c ccc  c
cc# 0c cc  Cc#Gcc c#c
c #  c   c -c c   c #c c   c c # c 
c #c c  c
c
 c#  c-c c cc c # 0Ccc c c-c- c # 0c

G c
 c  c #c 7%c c  c c  c Cc  c  C#c  c 
c c  c c
c c  c #c c - c  c c # c c  c c  c  #c 1c  c c c
 # c c c#c c-ccc  Cc#Gc- c c  cc c c
 c c -c  c
c c c c,c# 0cc # 0Cccc ccc
 c  c  c -c -c #c c   c
 c  c c c  Cc -Cc c c c 1  c - # c
 # c c c cL#c #c # c c#  c c 1# c
c  c c

& # c#  cc c


c Cc#c c-cCc
cCc"# cc
c
#Gc c
c c?# c   c  c#c Cc#Gc cc c
c  c


cÔ
cc
cÔc
& c  c  c  Cc  c  c c - c c ?# c c c c
 c   c  - c
-c c c  7 c  c 1c L#c  c Hc c
c c  c #c -c c  #c
 -Cc c #Gc c  c - c #c c   c c   c  c 
c #   c c
# . c  c c  cc c7%c-c Cc# ccc  -c

+# c - c 
c #c - c c c  c c   Cc
c A c c   c c c c   c
c 5'6c #c  c  :c Cc -c  # c Bc  Cc c  c c -c  # c & (c Hc
1c#c- c c  c#c-c'c  c # cc&c  c c #(c cc #c
?# c c cCcc- c#cc-c

cc 
c   cc c c c
c cccc ccccc   c
=c c  ! c"#c c c$%c c  cc
c

%+
cc c cc c
71c c  c?# c
 c
c# ccc  -(cG cc c
 c
c c
c c c&1cc5&6c c c' c
c c- >cc- >  -Cc#c c
c&cc c- >&c  cc c-#c cc c1c
c c c c c  c
c
c#cc c#   cc1 c  c c c

9c  c?# c c


c c'Cc#   c c# c c c'cccc&c
c  c  c  c c c cc  cc c c1c# c- c c CcI# cc1
c
=c  c  c c c c c CcI# cc1
c

$ c  c cc

cc c  c c c c cc c c cc#c


cc# ccc
 -c 'c c c c  c -Cc #c # c  c  c c # c c 'c #Gc # c  c  c c 1c
 c c c ' #c c c c c - c c 'c c  c - c -c c c  c  c  c -c
 c8 
#c  c c c c1 cc
c c' #c #cc1 ccSc

$ c  c c ccc1 c  c cc c ccCccc c#c#c  c c c


 # cc

c
Cc c  cc  c=Cc c c c# c cc&c c
c cc c c-c cc
c c  c Cc1
cc # c  cL#c c G cc cc c #  c  c
Sc

%+
cc#,c c cc c
'
c#c- c c # c :cc cc  c Cc#c# c1c  c c # cBc  Cc c
& c Bc  c c c - c c  c Cc c #Gc c c ;*c c  
 c 
c c

 c Ccc c: c  c# c5-c1 c  c 6cHcCcI# c  c
# cc #cc Ccc # c c O  c# c c  c
c c #c #c c #c
cc  c c-c1c c7'c
c c
 c Cc-c c c  c
c c: c  c
# c

 :ccA   cc

 c   c
c  c
c #c # c  Cccc  c c G c
1c c c
c  c- Cc c c

# c c c- c c-cA  cc&7c  c  c # c


 c&1c c+# c c c-cA  cc&0# c  c c #  cHc-1c  c' G c
 c 
c c c  c  c #c c  :c c  c -c c 1c 1# c # c  
c $%Cc c

c -c 1c 1c c # c c &- c '  c :# c 5&':6c c ?# c  c
c  :c c
# c&0# c:#c94 - cc   c
cc  c c  Cc c cc  c#Gc cA  cc
c
 cc
# #c  c
c c <cc :cc  c

cc 
c   cc c c c
c cccc ccccc   c
=9c c  ! c"#c c c$%c c  cc
c

publicstaticstring GetSamlToken(SamlVersion samlVersion)


{
WSTrustChannelFactory trustChannelFactory =
new WSTrustChannelFactory(new KerberosWSTrustBinding(
SecurityMode.TransportWithMessageCredential),
new EndpointAddress(new Uri(Defaults.ADFSUrl)));

trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;

try
{
RequestSecurityToken rst = new RequestSecurityToken(
WSTrust13Constants.RequestTypes.Issue,
WSTrust13Constants.KeyTypes.Bearer);

rst.AppliesTo = new EndpointAddress(Defaults.ACSUrl);

switch (samlVersion)
{
case SamlVersion.SamlOneDotOne:
rst.TokenType = Microsoft.IdentityModel.Tokens
.SecurityTokenTypes.Saml11TokenProfile11;
break;

case SamlVersion.SamlTwoDotZero:
rst.TokenType = Microsoft.IdentityModel.Tokens
.SecurityTokenTypes.Saml2TokenProfile11;
break;

default:
thrownew ArgumentException("Passed unsupported value",
"samlVersion");
}
WSTrustChannel channel = (WSTrustChannel)trustChannelFactory
.CreateChannel();

GenericXmlSecurityToken token = channel.Issue(rst)


as GenericXmlSecurityToken;

string tokenString = token.TokenXml.OuterXml;

return tokenString;
}
finally
{
trustChannelFactory.Close();
}
}c
c

Figure 18: Using WÚ- rust to obtain a ÚAML token from ADFÚ v2

$ c c c  c  c  c-cc?# ccbearer tokenc c c c  c


c c
 c c#  ccc ccc  c?# cc c c c #  c   c

cc 
c   cc c c c
c cccc ccccc   c
=c c  ! c"#c c c$%c c  cc
c

c # 586cHc#Gc c  c Cc#cc c c c ccAc


cc c
&1cc

Ê
c
cÔc
 c cCc  c c1 c c c  c
cc #c  c # c c&1c c
c  c  # c c &Cc #c c c -c  c #  c  c c  c  c c  c
. c c # c #c c  c  c I# c  c A c 
c   c
 Cc c   c
- c c
 c
c c

:c A Cc c #c - c c -c  c  c 5:1Cc
c A 6c c # c c
 7 c c c '
c :1c #  c  Cc cc  c c c  c c 
#c  c c
# c c # ccc c  c# cccc c c cc- c#cL#cc c
c' #c #cc0 0 c# c cc  c#c-c c- c:1L#cc


 c  c # c c # c    1 -c #c  c c :1c c -c # c &7c
  c -c  c  c  #c 1c c  c &7c   $ c  c c c  G c c c
c
c  c c c

# c c c#


-c
) -cc
c
&cc c?# cc c
c Cc c c?#c c c c #c c- c  c c c
 c c  c - c c
A1 c c -c #c  c # c #  c  c c c
 7 c c c  c 
c # Cc 1# c  c c  c A   c c c c  c 
c
 #c #c?#c

 c# c cc- c  c


c #c c1c c
 c   cc c cc  c5c  c c-c cc1  c cN  Nc c# c c

c  ccN NccN  N6:cA Cc#cccc c  c c

 c
# c  c c - c c # c  c  c  ,OO
1O # O # c c
 ,OO
1O # O  # c

c
 c c #Gc - c c c  c  #c  c  c  c # c  c c   > c 
c
 ,OO
1O # O # c 5c c c 
Cc # OU # 0V6 c 
c
 c c 1 c  c 
c c Cc  c c  7 c  c  c c Cc c  c
 cO  # c #c 
c c c ,OO
1O # O  # c
c  > c c c
#c c
A1 c c c 1c c c  c # c #  c   c  c c c  c 
c #c c
+#c#c c  c-c
c c1cc#Gc1c c#cc

'c  c
 c c  c c 1c  c  # c c A c c c L#c c  c c c
 c cc  Cc- cc  c7'c
c ,OO
1O # c c#  cc 0 
A0
 c c c cc c?# G c  > c  c cc  G c  c   ccc
 c c
c ,OO
1O # O  # c-#c c  c  cI# c
c

L#c c c


A1 c c c  c  c :c A c c c  c #c c  c #c - c c
# .c #  c 

 c  c c - c c c  c O # c c O  # c  # c c
#c L#c  c c -c   c  c  c c c 
c 7' Cc

cc 
c   cc c c c
c cccc ccccc   c
==c c  ! c"#c c c$%c c  cc
c

 ,OO
1O # O # c c  ,OO
1O # O  # c c  c
 G cc cc cCc1# c G cc cc  c7' c
c  > Cc1# c#c-c
c -c   c #c  c
c O # c c O  # c L#Gc c c c #  c #c c 
c #c
c c #c-cc   c  c c c G cc# c

+# c c- c  c c#c


c  > ccc G c c?# c c c#c
Cc c
c -c - c -c c
#c 7'c  c - c # c c  c c  c c  c  c Cc  G c
 c c c  c #c c #c c c  #c  c  c   c c ?# Cc 1# c AC cannot
control how a client uses a token once it's been issuedc '
c #c c c ?# c
c
 ,OOA O c1# c c7'cc#c  c ,OOA O  Cc#Gc1 c c
-c1
c c  c?# c

$ c  c-c   cccc 


c7'c c
c Cc#cc c#cc?#c
ccc  G c  c  cT#c c   cc#Cc-c-#c-cc
- c c 0 
Ac c c

c( c cÔc




c
   c  cc7' Cc
c  c c c# cA# c'c c c Ccc
c
 c c    c c 
c # c c 5 c   6c  c  c   c
 cc1cAcc c
# #cc  c  Cc
cA Cc c c1cc#c- cc
c
 c  Cc N 
c c  0   c   Nc ' c -#c c 1c
c c c c c 1c
 cc cc cc  cCc  1c1c c
cA c cc
c-Cc
1c
#c- c Sc

cc cÔ
-c#
c
c1# c
c 01 c  cc  c  cit allows your service to be loosely coupled to identityc
'c
c#c cc
c c- c#cc
#c c c-c#  c c c c 7 Cc

c
 c- c :cCc c c Ccc c c c
c c&1c Ccnone
of these changes require you to redesign, recode, recompile, or even reconfigure the StringReverser
servicec

c c-c  c  c  c#c,cvalidating tokens is cheapcc 7 c G c


c ccc'OHc c cc Cc'OHc-cc cA  c
c#Gc cc c#c' c c
 c c c 
c # c  1 c # c c  Ac   c 0c 8 8*/c  c ?# c
 c c
 # c'
c 7 c ccc  c
c## .c?# Cc c G c c#c cI c
c?#cc c- c  c  c?# c

cc 
c   cc c c c
c cccc ccccc   c
=)c c  ! c"#c c c$%c c  cc
c

c

 c c c


# #c 
c   Cc c &- c .#c 
c  c  c  c c  c -c c  c
 c+c cc 01 c c c  Cc#c c-c1
 c
c c cCc
c #c   c c -c c c c c -c 1# c -c c c c c #   c
#  Cc-c cc  ccA  c1#  c c1cc cc
# c  
c#c c1c
c#c5
c c6c
c#c# . ccc c  1  c-c1cc c
# #c c
 c #  cccc  c  cL#cc c  c c1c c  c  cc
1# c c c c c
cc c-c#   Sc



c c

8c c c  c c  c  # c  c #c  c


c 
#c  c #c c c 1# c
&- c.#c 
cc+# cc c  c

Õc c' # c c&- c.#c 


c :1c
c   c
pc  ,OO 
O
-O(B' P9*4==c
Õc c  ! c"#c cc+# cc&- c.#c 
c :1c
pc  ,OO 
O
-O(B' P9*4=)c
Õc c  ! c"#c c c  cc&- c.#c 
c :1c5this paper6c
pc  ,OO 
O
-O(B' P9*4=*c
Õc &- c.#c 
c
pc  ,OO--- 
O-- .#Oc
Õc c+# cc c  c  c
pc  ,OO  .#Oc
Õc &7cc&c 
  cc
pc  ,OO# O# O# 0- 0-c
Õc &- c'  c:# c5&':6c&   c
c   c
pc  ,OO- 
O-O2OOO21*9//0/40)9400
*1)/)O":-&   :    
c
Õc F# c ! c1c
pc  ,OO1  OI# I  Oc

 cc c

< c+-c cc 


#c
c#  Ccc c  
c$%c c c

c1 c0
 ccc c#  c< c c# c1 cc&- c # Ccc  c c
 c c c # c# c
cFcc $c. c< c c  cccc c
#  Cc c  c 
 Cc c c   c 1# c # c L#c c c c  c
 ,OO--- #  O c

cc 
c   cc c c c
c cccc ccccc   c
=*c c  ! c"#c c c$%c c  cc
c

 c

 c  c -#! c c 1c  1c - # c c # c  c
c F# c  c 
c  
c
8 c  c   c # c - c  c  c #c c  c c #c  c c  c
-    # c 8
Cc Fc BCc  c Cc c Ic  c  c  c -c c  c c
c c 
#c c c# Sc

cc 
c   cc c c c
c cccc ccccc   c