CHAPTER 4 ■ WINDOWS AZURE APPLICATION INTEGRATION USING WCF 128 Figure 4-8. Metadata and WSDL retrieved from the WCF service In Chapter 7 we are going to discuss hosting workflow services in cloud-based development. Summary In this chapter I introduced the concept of integrating applications using WCF and Windows Azure. WCF is a powerful tool for writing enterprise-class applications and makes loosely coupled applications easier to write and manage. Add to that the benefits of Windows Azure, and there are plenty of possibilities. A lot of the intricacies of WCF and Azure are beyond the scope of this book, so I simply showed you how to host a WCF service in the cloud. I demonstrated how other .NET applications (and even Java applications) will be able to take advantage of your cloud-based WCF services. C H A P T E R 5 ■ ■ ■ 129 Azure .NET Services—Access Control Azure .NET Services contains a collection of three services: .NET Service Bus, .NET Workflow Service, and .NET Access Control Service. .NET Access Control Service is the core service, which provides the endpoint registration and access rules services for not only the other two .NET services of the service collection set but also SQL Azure (an additional cloud-based service from the Microsoft cloud-based service family, which is covered in Chapter 8), to access the cloud. To submit any application to the cloud you must go through the .NET Service Bus, and the .NET Service Bus relies on the .NET Access Control Service for securing access to cloud applications through a claims-based model. .NET Service Bus, the partner service of the Access Control Service, significantly simplifies the communication between applications and their clients. With .NET Service Bus, an application no longer needs to resolve the endpoint IP address from organizations. Instead it uses the IP address provided by the .NET Service Bus. At the time of this writing you cannot yet intuitively manage the registered endpoint address from .NET Access Control Service, meaning that you have no direct access to modify the low-level data of .NET Access Control Service yet. .NET Access Control Service is built on the WCF services. You just need to specify the type of federation in configuration files. In this chapter, after an introduction to the .NET Access Control Service, we are going to provide exercises showing how to use WCF services in conjunction with the Azure portal, instead of the using the Azure Service Management Tools, to manage the .NET Access Control Service for cloud-based applications. Working with the .NET Access Control Service With the .NET Access Control Service, cloud-based applications or on-premises applications can federate authentication information and allow services to be called across the firewall. Whether the Azure application uses a security directory system, such as Active Directory or any standards-based infrastructure, the application responds as if the user’s account were managed locally. Since the .NET Access Control Service supports using programming frameworks and web protocols, it offers an easy way for you to integrate an application with different platforms and architectures. For most distributed applications, identity is a fundamental issue. The application needs information on the application’s user to determine what they are allowed to do. Imagine that a single company has tens or hundreds of applications or services, and each application has its private storage for user identities, and each storage needs a particular approach to authentication. This turns out to be not only very expensive for a company to maintain but also extremely tedious work for application development and integration. The .NET Access Control Service provides an attractive approach to solve this problem. The concept uses a CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 130 claims-based identity model to allow the common features of authentication and authorization to be provided by an external service. To reach that goal applications use the Security Assertion Markup Language (SAML) to claim SAML tokens. Each SAML token carries a piece of information about a user. For instance, one token contains user name information, while another token contains user role information. Tokens are generated by a program called Security Token Service (STS). However, there is another challenge for this approach to address. A SAML token may not contain claims that the application is not expecting, and the services that generated the response token cannot be trusted by the application. A solution to this is to involve another STS in the process to ensure that all SAML tokens carry the correct claims and to perform the transformation to convert the SAML token into the application-trusted token based on the rules defined for the transformation. To ensure tokens are generated from a trusted STS, the .NET Access Control Service uses a federation mechanism to establish the trust relationship between the new STS and the one that generated the token; it runs the STS from the cloud to do the federation. Figure 5-1 shows how the .NET Access Control Service provides claims transformation and identity federation. Figure 5-2 is the screenshot using the Azure Services Management Tool. From this screenshot we can see that two default rules have been assigned to each Azure development account. The claim name is “Action,” with two associated values, “Listen” and “Send.” STS Rules ASP Page Application Web Service 1.Retrieve WSDL 2. Request SAML token with SAML token 3.New SAML token been generated 4. Send SAML token Figure 5-1. Logic flow for the Access Control Service showing how it provides rule-based claims and identity federation CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 131 Figure 5-2. Screenshot of the rules currently assigned to my Azure development account using AzureServiceMMC Build Your First Cloud Application Using the .NET Access Control Service In this exercise, we are going to build a very simple WCF service, which supports duplex communication between server and client, and host it in a Windows console application. Using a local console application is the simplest way to host a service, which we use as our host to prove the concept. ■ Note The code for this example is in the Exercise 5-1 bundle from the code download. CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 132 1. Create a WCF service library project, WCFServiceLibrary. For this simple example, there is only one operation contract defined, PingService, which accepts a string parameter, which is posted from the client application. The implementation for this operation contract is very straightforward as shown in Listing 5-1; it simply returns the posted message back to the client. (Note that the attribute of the service declaration uses a namespace. A namespace can be given a hierarchical structure, and there is no restriction on the number of levels and name conventions. A Relay sublevel has been defined in the namespace in this example for us to reuse when we deal with the relay bindings.) Listing 5-1. WCF Service Contract Interface IAccountFederationService using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.ServiceModel; namespace AzureForDotNetDeveloper.DotNetService.ServiceBus.WCFServiceLibrary { [ServiceContract(Name = "IAccountFederationService", Namespace = "http://SoftnetSolutions.com/ServiceModel/Relay/")] public interface IAccountFederationService { [OperationContract] string PingServer(string message); } } using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.ServiceModel; using System.Diagnostics; namespace AzureForDotNetDeveloper.DotNetService.ServiceBus.WCFServiceLibrary { [ServiceBehavior(Name = "AccountFederationService", Namespace = "http://SoftnetSolutions.com/ServiceModel/Relay/")] public class AccountFederationService : IAccountFederationService { public string PingServer(string message) { string results = string.Format( " {0}:PingServer, message received from client : {1}{2}", this.ToString(), Environment.NewLine, message ); . WCF and Windows Azure. WCF is a powerful tool for writing enterprise-class applications and makes loosely coupled applications easier to write and manage. Add to that the benefits of Windows. CHAPTER 4 ■ WINDOWS AZURE APPLICATION INTEGRATION USING WCF 128 Figure 4-8. Metadata and WSDL retrieved. simple WCF service, which supports duplex communication between server and client, and host it in a Windows console application. Using a local console application is the simplest way to host a service,