Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure

Question

I have made a simple WCF-REST-service, published it to Azure and activated SSL with a X.509-certificate.

I\'d like to setup some authentication for this service as well.

Answer 1

Authentication, Authorization and identity federation are HUGELY complex subjects and should not be taken lightly. The reason security is a big, complex problem is that its extraordinarily hard to get right!

If you don't already have a great deal of experience in internet identity & security, don't try and roll your own auth mechanism: Correctly and securely implementing an authentication mechanism is very, VERY hard.

For example, in your scenario above, you've not accounted for ensuring that the creds you pass in the HTTP header are anonymized for each site you want to present them to and that they expire after a period of time, that they cannot be replayed, that they cannot be synthesized by a malicious 3rd party, etc.

I strongly encourage you to use a pre-existing authn mechanism and supporting framework. In fact, since you're an Azure user, the easiest way to add end-user identity federation to your site is to use the new authn features of Windows Azure Mobile Services

If you still want to learn more about identity and identity federation, I encourage you to research this subject before choosing the right type of authentication to use:

Start with A Guide to Claims-Based Identity and Access Control (2nd Edition). This will give you most of the background and knowledge necessary to understand this subject sufficiently to make sound decisions.

Once you've got a good grip on this subject, I recommend reading everything that Vittorio Bertocci has written over at http://cloudidentity.com.

HTH.