Download - Service Bus Service Bus Access Control
Windows Azure AppFabric Deep Dive
NameTitleMicrosoft Corporation
Session Objectives
Scenario Explanation ExampleEventingService remotingTunneling
Drill into Access Control ServiceTips and Tricks
Firewall ConfigurationHosting Service Bus endpoints in Windows AzureSecurity
The AppFabric Labs Environment
AppFabric Service Bus
Three Common Patterns
EventingOne-way communicationUnicast or MulticastImmediate or temporally decoupled
Service RemotingRPC-style, Request/Response or DuplexContracts, Schemas, Structured Data
TunnelingFull-Duplex Tunneling of Raw StreamsTCP, Pipes, Proxies, …
Eventing
1 : N Communications1 client transmits message to service busService bus relays message to N clients
One way messagingUnicast – broadcast to a single listenerMulticast – broadcast to multiple listeners
BufferingTransient storage for messagesSupport occasionally disconnected client
Service Bus
Access Control
Eventing
Notify remote parties of eventsSender transmits information to listeners
Events are distributed unicast or multicast
Listener
Listener
Sender
Implementing Eventing
Simple WCF Semantics1. Provide WCF Service Contract with
OneWay operations2. Create Service Impl using
MulticastService behaviour3. Authenticate each client to SB endpoint4. Create two connections to the Service
Bus1. A ServiceHost to listen for chat messages2. A client connection to send new messages
5. Send and receive messages
Relay Chat
NameTitleGroup
demo
Service Remoting
Expose Web Services Beyond the Firewall
On premise web serviceExpose to clients without firewall changes
Message distribution optionsSimple load balancing supportSupports full duplex communications
Pass through underlying security constructs
End to End AuthenticationEnd to End Encryption
Service Bus
Access Control
Service Remoting
Sender Listener
Access Web Services across the InternetPublish services and communicate bi-directionally
Implementing Remoting
Config only from Existing Service1. Take existing on premise service2. Use WCF config to authenticate and connect to
SB3. Each service has a unique SB endpoint
Simple client with supporting libraries1. Query Service Bus Registry via ATOM for list of
endpoints2. Choose endpoint at random (or other ‘smart’
algorithm)3. Establish communications with selected
endpoint4. Message is relayed to selected service
Load Balanced ServiceNameTitleGroup
demo
Tunneling
Tunnel low level protocols via Service Bus
High performance tunnel over TCP where possibleAutomatic fallback to tunnel over simple HTTP where needed
Expose Any On-Premise SecurelyTo clients over the internetTo Windows Azure services
Service Bus
Access Control
Sender Listener
Tunneling
Transport existing protocols over Service Bus
Protocol Bridge
Protocol Bridge
Implementing Tunneling
Implement Agent1. Read Configuration2. Listen on port/pipe on local machine3. Forward communications efficiently
to/from service busImplement Bridge1. Listen on service bus2. Forward communications to/from local
port/pipe
Port Bridge
NameTitleGroup
demo
Access Control Service
Why an Access Control Service?
Federate identityLeveraging multiple identity providers per applicationADFS v2, Live ID, Facebook, Yahoo, Google, …
Identity abstractionEvolve past username/passwordLeverage claims-based identity
Access Control Service
YourService
2. Request token
(pass input claims)
4. Return token
(receive output claims)
5. Send messagewith token
0. Establish trust via key exchange
Customer
1. Define access control rules for an identity provider
3. Map input claims to output claims based on access control rules
How it works
6. Processtoken
Capabilities
ACS == claims-based access controlKey features
Open to all platformsSimple rules for mapping input to output claimsOAuth WRAP & SWTIntegrates with ADFS v2
All web services can take advantage of these capabilities with a single code base
ACS Calculator
NameTitleGroup
demo
Tips and Tricks
Firewall Configuration
AppFabric is tolerant of diverse network topologiesMinimum Configuration
Enable outbound HTTP on port 80 and 443Authenticate against proxy server if any
Optimal configurationAllow outbound on port 9350 and 9351Can limit to well known IP ranges
SB Endpoints in Windows Azure1. Create Worker Role2. Create ServiceHost3. Authenticated against service bus4. Open ServiceHost
Session Takeaways
Service Bus provides topology agnostic message bridge in the cloudThree Key Service Bus Patterns
EventingRemotingTunneling
Access Control Service abstracts authentication & authorizationLabs provides early access to new features
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.