Web Single Sign-On using Windows Azure Access Control Service

What is ACS?

Access Control Service, or Windows Azure AppFabric Access Control Service (ACS) is a Windows-owned cloud-based service that provides an easy way of authenticating and authorizing users to gain access to web applications and services while allowing the features of authentication and authorization to be factored out of the application code. This facilitates application development while at the same time provide users the benefit of being able to log in to multiple applications with a reduced number of authentications, and in some cases only one authentication, thus enabling Single Sign-On.

The following features are available in ACS:

  • Integration with Windows Identity Foundation (WIF)
  • Support for popular web identity providers including Windows Live ID, Google, Yahoo, and Facebook
  • Support for Active Directory Federation Services (AD FS) 2.0
  • An Open Data Protocol (OData)-based management service that provides programmatic access to ACS settings
  • A Management Portal that allows administrative access to the ACS settings



Windows Azure ACS is built on the principals of claims-based identity which provides a common way for applications and services to acquire the identity information they need about users inside their organization, in other organizations, and on the Internet.

The following figure shows how ACS authentication works with a web application:


How It Works.

  1. The Client (say browser) requests a page/resource from the Resourse Provider (RP). Here  RP  is the web application which stores and holds the resource that is being protected by ACS.
  2. Since the Client is not an authenticated user (not having a valid session key associated with the RP web application), the RP redirects the Client to the trusted authority, which in this case is the ACS.
  3. The ACS provides a list of Identity Providers (IP) for the user to select in order to authenticate himself.
  4. The client browses to the IP’s authentication page, and prompts the user to log on.
  5. After the client is authenticated, the IP issues a security token and redirects the client to the ACS.
  6. ACS validates the security token issued by the IP, inputs the identity claims in this token into the ACS rules engine, calculates the output identity claims, and issues a new security token that contains these output claims.
  7. The ACS redirects the Client to the RP along with newly generated security token. The RP validates the signature on the security token issued by ACS, validates the claims in this token, and returns the page that was originally requested.




Configuration Steps:

  1. Create an ASP.NET Web Application in Visual Studio with sample .aspx files. Make sure the .NET application has an associated web.config file which will be further updated during the ACS configuration. Test the Web application by running it on the local/remote IIS server. This .NET Web application will act as the Resource Provider (RP) as shown in the diagram
  2. Log in to the Windows Azure Management Portal  with an active account and create an ACS (Access Control Service)  service namespace.
  3. After the ACS namespace has been successfully created, configure the ACS (Access Control Service) to add Identity Providers (IP). Add multiple IPs such as Google, Window Live ID to issue access to your web application for users having accounts at different institutions (IPs).
  4. Configure the ACS service to generate  rules for copying the input claim types and values received from the IP directly in the output token as explained earlier in the document. This step is required for ACS to create a new digitally signed token (after receiving the input token from the selected IP) which will be sent to the RP.
  5. Configure your .NET Web application by adding an STS reference to the configured ACS service. This step requires the WS-Federation Metadata URI to be copied from the Application Integration page within the ACS Management Portal into the STS reference URI.
  6. The above step configures the Windows Identity Foundation (WIF) in your ASP.NET web application by adding a reference to the Microsoft.IdentityModel.dll assembly.
  7. Modify the ASP.NET web.config file to validate the claims received from the ACS and provide access to the pages/resources   present in the web application.
  8. Re build and test the application. The user should now be redirected to the IP page which lists all the IPs configured in the ACS. Once the user authenticates at on of the IP, the user should have access to the web application pages (RP).


For detailed understanding and creating a demo application refer How to Authenticate Web Users with Windows Azure Access Control Service

For more information about ACS, see Access Control Service 2.0.