auth


I talked earlier about Cloud Services, and many vendors like Amazon, RackSpace, etc. are used more for consumer services and enterprises are generally weary of clouds – part of it being paranoia and might be baseless (because of coming up with a process of doing things differently) and a valid reason being security (authenticating with Active Directory) and not wanting to part with services that are not totally in a business’s control, because this could be a business’s core or its IP.
But, the result is that there big  savings, so it is worth looking into.
So, understand and address all the inhibitions to move to a cloud.

Now, the solutions for these are quite vendor-specific (Azure might have them, while Amazon may not), so I’ll mainly talk about Azure.
I mainly see 2 hurdles in using Azure viz.
1. Authentication
2. Proprietary (in-house) Services

In the case of authentication, IT cannot really move the entire Active Directory to the Cloud (and should not), which means that we need a third-party authentication with Azure (that’s what its called, because Azure does not authenticate you then) and our company.
That is, a user uses Azure, but has to authenticate first and this is done externally on- premises of the company (known as on-prem).
This is known as an on-prem/ off-prem solution in industry parlance.

For this, we can use WCF with the Azure Service Bus.
From the Azure website:

Think of the Service Bus as a way to communicate with Azure, and the communication happens between Azure and your company.
So, via this mechanism, Azure can callback into your company, which addresses both authentication and the services issue.

This also means that you need modular services that can be called by someone, which is anyway a good goal to have.

To inform your IT, Azure also provides the following features:

Virtual Machines— Allows you to move your virtual hard disks (VHDs) back and forth between on-premises and the cloud.
Existing workloads such as Microsoft SQL Server or Microsoft SharePoint can be migrated to the Cloud.
Use your own customized Windows Server or Linux images, or select from a gallery.

Windows Azure Virtual Network— Lets you provision and manage virtual private networks (VPNs) in Windows Azure, as well as securely extend on-premises networks into the cloud.
It provides control over network topology, including configuration of IP addresses, routing tables and security policies and uses the industry-standard IPSEC protocol to provide a secure connection between your corporate VPN gateway and Windows Azure.

Availability in New Countries— As of now (May 2013), availability is expanded to 48 new countries, including Russia, South Korea, Taiwan, Turkey, Egypt, South Africa, and Ukraine, making Windows Azure one of the most widely available cloud platforms in the industry with offerings in 89 countries and in 19 local currencies.

Here are details, and an example for you as a developer – http://www.windowsazure.com/en-us/develop/net/tutorials/hybrid-solution/

So, the Cloud is not only for consumer services, and with a little planning, Enterprises can use it as well.

Advertisements

oAuth is an open protocol that provides an authorization mechanism for clients/third parties to access resources on a server, after being given permission by a user.
For e.g. You have photos on a photo-sharing site (server), and you (user) permit a social networking software (third-party) to allow access and thereby show these photos.

oAuth requires the server to authenticate the user before they present the option to let a user authorize the resources.

oAuth is used more in B2C scenarios, and a third-party is an authority between the user and server. This basic scenario is called a love triangle, and there can be many servers involved in the middle for authentication, called hops.
http://oauth.net/ has all the details.

oAuth is implemented by a number of vendors like Facebook, Twitter, etc. and is usually used in an application integrated with these third parties. These are the “authorities” that issue access tokens, and accept them (in the future) to verify access.

If you are have an integration with a third-party which implements oAuth, you could avoid 1authenticating your user, and just rely on the third-party. The assumption here, of course, is that your user is registered on the third-party provider’s website.
If you need, your website can also implement oAuth and be an authority to grant access rights to third-parties.

Other possibilities that involve third-parties for verifying a user include:

– Active Directory Federation services – This is a Microsoft protocol that allows a single sign-on mechanism for websites. You can read all about it here: http://technet.microsoft.com/en-us/library/cc736690(WS.10).aspx
Microsoft Passport is a provider.

– LDAP – http://www.gracion.com/server/whatldap.html, which is usually used by programs and for lower-level resource access like printers, etc.

– OpenID – There are many providers including google, yahoo, flickr that support openID as a standard way to authenticate users on the web.

– WS-Trust and WS-Federation – Used more in Enterprise scenarios, a Provider of information such as a Healthcare company or a bank can be an authority and use WS* to allow third-parties access to the data. Read about it here: http://msdn.microsoft.com/en-us/library/bb498017.aspx

Hope this and the previous post gives you some possibilities to think about, when it comes to authentication and authorization on your websites and applications.