Azure WCF Service with Azure Active Directory Authentication

Question

I know this question seems similar to other son here, but I have tried the answers posted Here: Securing WCF 4.5 service using Azure ACS 2.0

And Here: Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure

Ans neither seem to be relevant.

Here is what I have so far.

• An azure cloud service with various worker roles, and a WCF web role with REST and SOAP Endpoints
• An azure active directory account with a couple users
• ACS namespace.

The WCF service will be used by a couple different companies but other than that closed off. We chose azure active directory to provide SSO for the wcf service and other apps.

Here is what I want to do:

• Create users/passwords for each company using the WCF service in Azure Active Directory.
• Allow only companies with a valid username and password pair to obtain an access token
• Have each company use their token to access the WCF methods.

I didn't think this would be that hard to accomplish, but all the tutorials out there seem to be for IIS hosted or self hosted services with a console application.

What I have done so far:

• Added the WCF service as an integrated app in azure active directory
• Created a new identity provider named testAAD in ACS and added the WS-Federation metadata from the integrated app to that provider
• Added a relying party application that uses the newly created testAAD identity provider
• Added a rule group with a pass-through rule that uses the testAAD Identity Provider and the default settings.

See option 1 here for more details. I need to know if what I did was anywhere close to correct, and if it was, how do I get the WCFservice to start using those settings.

Other Info:

• WIF 4.5
• VS2012 Pro
• C#

Any relevant tutorial links or general advice would be great. Thanks in advance.

Update: Just to add more info, the WCF service is being posted to by a number of different websites. Each of our customers will collect data from their own web forms, and then either add a service reference using c# code, or post the data to a url via something like curl if they are using php. The Service has both rest and soap endpoints. So for example, they would send an XML or SOAP request to mynamespace.cloudapp.net/myservice.svc/servicemethod. I am either looking to have them send their username and password with that request and validate those credentials in the actual WCF Method, or have them request an authentication token, and then send that authentication token with their request.

Update 2 I think I found the missing piece. In order to use active directory as an identity provider, it looks like I need to set up an ADFS server. I had thought that the ADFS server was set up already with the azure active directory account, but apparently thats not the case? Is there any way to do this without an ADFS server?

Answer 1

The main question you haven't covered is how will these companies use that WCF service?. Via your web portal, or via rich client (such as WinForms / WPF)?

If it is rich client, you can take a look at this blog post? It shows you how to secure WCF service with token and access that service from a WPF application.

If you plan to only allow access to the WCF service via your web portal, then picture is a bit different. You can first protect your portal by Azure AD and get user's token. Then use that token to authenticate against the WCF.

But in a truly web scenario, the client that will make calls to the service is actually your web server. If this is the case, I will just protect my web portal with Azure AD. Then protect my WCF with a single access token. I can get that token from a Service Identity in my Azure AD Access Control. And provide this "Service Token" as part of each WCF call from my web server. For added audit (and compliance) I will also send the original user token, to keep track of who accessed what and when.