Windows Azure AD Access Control

Why do we need Azure Access control?
It helps us to easily manage access to your applications based on centralized policy and rules. Ensure consistent and appropriate access to your organizations applications is maintained to meet critical internal security and compliance needs. Windows Azure AD Access Control provides developers centralized authentication and authorization for applications in Windows Azure using either consumer identity providers or your on-premises Windows Server Active Directory.

Consider the following security knobs in Windows Azure AD Access Control deployment. The information below is a digest from ACS Security Guidelines and Certificates and Keys Management Guidelines.

• STS tokens expiration. Use Windows Azure AD Access Control management portal to set aggressive token expiration.
• Data validation when using the Error URL feature. Windows Azure AD Access Control Error URL feature requires anonymous access to the app’s page where it sends error messages. Assume all data coming to this page as dangerous from untrusted source.
• Encrypting tokens for highly sensitive scenarios. To mitigate threat of information disclosure that available in the token consider encrypting the tokens.
• Encrypting cookies using RSA when deploying to Windows Azure. WIF encrypts cookies using DPAPI by default. It creates server affinity and may result in exceptions when deployed to web farm and Windows Azure environments. Use RSA instead in web farm and Windows Azure scenarios.
• Token signing certificates. Renew token signing certificates periodically to avoid denial of service. Windows Azure AD Access Control signs all security tokens it issues. X.509 certificates are used for signing when you build an application that consumes SAML tokens issued by ACS. When signing certificates expire you will receive errors when trying to request a token.
• Token signing keys. Renew token signing keys periodically to avoid denial of service. Windows Azure AD Access Control signs all security tokens it issues. 256-bit symmetric signing keys are used when you build an application that consumes SWT tokens issued by ACS. When signing keys expire you will receive errors when trying to request a token.
• Token encryption certificates. Renew token encryption certificates periodically to avoid denial of service. Token encryption is required if a relying party application is a web service using proof-of-possession tokens over the WS-Trust protocol, in other cases token encryption is optional. When encryption certificates expire you will receive errors when trying to request a token.
• Token decryption certificates. Renew token decryption certificates periodically to avoid denial of service. Windows Azure AD Access Control can accept encrypted tokens from WS-Federation identity providers (for example, AD FS 2.0). An X.509 certificate hosted in Windows Azure AD Access Control is used for decryption. When decryption certificates expire you will receive errors when trying to request a token.
• Service identity credentials. Renew Service Identity credentials periodically to avoid denial of service. Service identities use credentials that are configured globally for your Windows Azure AD Access Control namespace that allow applications or clients to authenticate directly with Windows Azure AD Access Control and receive a token. There are three credential types that Windows Azure AD Access Control service identity can be associated with: Symmetric key, Password, and X.509 certificate. You will start receiving exception when the credentials are expired.
• Windows Azure AD Access Control Management Service account credentials. Renew Management service credentials periodically to avoid denial of service. The Windows Azure AD Access Control Management Service is a key component that allows you to programmatically manage and configure settings for your Windows Azure AD Access Control namespace. There are three credential types that the Management service account can be associated with. These are symmetric key, password, and an X.509 certificate. You will start receiving exception when the credentials are expired.
• WS-Federation identity provider signing and encryption certificates. Query for WS-Federation identity provider’s certificate validity to avoid denial of service. WS-Federation identity provider certificate is available through its metadata. When configuring WS-Federation identity provider, such as AD FS, the WS-Federation signing certificate is configured through WS-Federation metadata available via URL or as a file. After the WS-Federation identity provider configured use Windows Azure AD Access Control management service to query it for its certificates validness. When the certificate expires you will start receiving exceptions.