An introduction to .Net Services

Pedro Félix(pedrofelix em cc.isel.ipl.pt)

.NET Services

• Set of services

– Service Bus (SB)

– Access Control Service (ACS)

• Running in the cloud

– Based on Windows Azure

• Providing

– SB : Service Addressability, Connectivity and Discoverability

– ACS : Service Access Control2

A Motivating Scenario

CloudTrack

.

FabrikamContoso

Create/view issuesView/manage issues

3

• Issue Tracker web app.• Cloud-based• Multi-tenant

Connectivity challenges

CloudTrack

.

Notify new issue

4

Fetch log data

FW, NAT, …FW, NAT, …

Create new issue

Connectivity Challenges

• Addressability

– Private addresses and Network Address Translation (NAT)

– Dynamic addresses (e.g. ISP)

• Connectivity

– Firewalls

• Discoverability

5

Service Bus Relay

6

FW, NAT, …

RegistryOutbound TCP connection

Relay

Query via HTTP + ATOM

Public Name

• Connectivity - public projection of private endpoints

• Addressability and discoverability

Service Bus

• Naming

– Public namespace

– {scheme}://{solution}.servicebus.windows.net/{relpath}

• Registry

– Mapping between URIs and services

– Readable via HTTP+ATOM

• Connectivity and eventing

– Relaying between public (SB) and private endpoints7

Demo

http://felixdemos.servicebus.windows.net/remix09

8

Service Bus Security

9

FW, NAT, …ACS

Send Listen

• DMZ externalization

– Public endpoints hosted on the cloud

• Flexible Access Control with ACS

– Claims-based model

Connectivity

10

FW, NAT, …

• WCF integration via transport binding elements

• Bidirectional (similar to NetTcpBinding)

• Request-reply (similar to *HttpBinding)

TCP TCP

HTTP

Datagram multicast (pub-sub)

11

TCP TCP

• NetEventRelayBinding (oneway)

– Multiple opened service hosts on the same URI

– Multicast – message delivered to all listeners

– Support for HTTP pooling

CloudTrack

.

Access Control Service

• Identity and access control

• Distributed systems

– Decentralized authority

– Heterogeneous technologies

• Claims-based model

• SB integration

12

Identity and Authorization

credsContoso::

Alicewebapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

13

webapp (IssueTracker)

Centralized Solution

credsContoso::

Alicewebapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

14

MembershipProvider

RoleProvider

IPrincipal.IsInRole(...)

webapp (IssueTracker)

Decentralized Authority

credsContoso::

Alicewebapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

15

Contoso Authority

Contoso Identity Provider webapp

Decentralized Authority

credsContoso::

Alicewebapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

16

IdentityDirectory

Contoso webapp

Decision Enforcement

credsContoso::

Alicewebapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

17

ServiceBus

webapp::SB.Listen

AuthorizationDecision

AuthorizationEnforcement

IdentityInformation

webappAccess Control ServiceContoso

Access Control Service

credsContoso::LeadDev

Alice

webapp::IssueView

SBwebapp::SB.Listen

18

Identity Provider Authorization Decision

Authorization Enforcement

Access Control Service

• Claims-based Identity and Access Control

• Claims transformer (“claims in, claims out”)

– Consumes claims from federated issuers

– Provides claims to applications and services

• Rule based issuance policy

– Rule: If has claim1 then output claim2

• Not an identity provider

– Does not manage user’s identities19

Protocols and technologies

20

CloudTrack

.

WIF

Active DirectoryAccess Control

Service

CardSpace

LeadDevAlice

IssueView

ADFS v2

WS-*SAMLP

WS-*SAMLP

WS-* ?