Hosting a Shibboleth SP Web Site in Azure, Conclusion

This is the last in a series of posts about using the Shibboleth Service Provider to implement SAML SSO authentication in an Azure cloud service web site. The first three posts present background information. There are two posts that are specific to using the Shibboleth SP with Azure and then there is this concluding post.

The information I am presenting has come from three sources. First is the official Azure documentation from Microsoft and Shibboleth documentation from the Shibboleth Consortium. Each discusses their respective areas but there is no overlap. My second source of information is what I learned while working on the Azure team at Microsoft. That was over a year ago and many things have changed in the interim. However, it gave me a foundation in understanding how an Azure cloud service works. Finally I did a lot of experimenting, trying things, seeing what worked and what didn’t. I’ve found nothing on the web about hosting the Shibboleth SP in Azure so I believe I am blazing a trail of sorts. I hope this information may be of some value to others. Having said that I must offer some caveats.

The first caveat is to simply underscore the fact that Azure is being updated by Microsoft at a frantic pace. My explorations that produced this web application were done in June 2013. Some of the details will certainly change or become obsolete over time. E.g. I noted that an Azure web site did not support SSL. I’ve since seen an announcement of an SSL preview for the web site feature.

Unresolved and Unexplained Issues

Mysterious Site ID in IIS

I used the remote desktop to look at IIS Manager on my Azure role instance and saw that the web site ID was 1273337584. I thought “it’s assigning a random number” and expected it to change with subsequent deployments. It didn’t. So I deleted the deployment and redeployed instead of just doing an update. It remained the same number. Then I deleted the entire cloud service and created a new one with a new name. The web site ID remained the same. What can I conclude from this? Nothing really. I don’t know if this is a fixed number, used for all web role instances (remember that each role instance gets its own VM, so there is no chance of site ID collisions), or if there is some algorithm that could be related to my subscription or some other value.

I looked into using appcmd to read the site ID assigned by Azure thinking I could then modify the shibboleth2.xml file on the fly. Then I discovered that the web site hasn’t been created at the time the startup script is running. The only option is to have a method override in my app code for the role start notification. This is a bit of a chicken-and-egg problem because I’d have to restart the Shibboleth service after updating the config file and might also have to restart the web site – from within the web site code. So this issue remains without a good resolution.

Azure Load Balancer Affinity

A SSO exchange involves several browser redirects first initiated by the SP code, then by the IdP code back to the SP. In between there is a user interactive log in. All of the Azure documentation stresses that your web applications must be stateless. If you have multiple instances of a web role running for load handling reasons, you have no control over which instance will receive a request. Will this cause problems during the authentication sequence?

I found one non-Microsoft blog post that said the Azure load balancer would have session affinity for a given source-IP/port pair. My own understanding from when I worked in Azure was that the load balancer would maintain a session for up to one minute of inactivity. I’ve seen no official confirmation of either notion. I’ve not spun up more than one instance yet to test this issue. Considering that Microsoft provides an SSO federation service in Azure’s Access Control Service, which uses the same sort of redirect sequence for authentication (more actually because of the extra federation hops), I’d have to believe that this is not an issue. It would be nice to know for sure though.

Conclusion

Of course this begs the question: why doesn’t Microsoft natively support SAML authentication? That is, why isn’t there a Windows Identity Foundation protocol handler for the SAML profiles and bindings? That would eliminate the need to jump through these hoops. I’ve asked some of my former Microsoft colleagues who are in a position to know and have received no response. I know the official line is to not comment on unreleased products or product plans, so the lack of a response is not surprising.

There is also the option of updating the Shibboleth SP implementation so it can act as a WIF protocol handler. It is open source and community developed. I might be able to contribute. Stay tuned.

 

Code Details for Hosting a Shibboleth SP Web Site in Azure

Continuing my series on hosting a Shibboleth SP web site in Azure, here is the entire install-shib.cmd startup file I used.

rem batch file to install the Shibboleth SP
echo running install-shib batch file >> %temp%\install-shib.txt 2>&1
date /t >> %temp%\install-shib.txt 2>&1

echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1
msiexec.exe /i Shibboleth-SP\shibboleth-sp-2.5.1-win64.msi /quiet /L*v %temp%\shib-msi.txt INSTALLDIR=c:\opt\shibboleth-sp\ /norestart
if errorlevel 1 goto err1

echo calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1
xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibboleth
if errorlevel 1 goto err2
echo calling xcopy to copy the key files >> %temp%\install-shib.txt 2>&1
xcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibboleth
if errorlevel 1 goto err2
echo calling xcopy to copy Shib DLLs that the ISAPI filter loader can't find >> %temp%\install-shib.txt 2>&1
xcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibboleth
if errorlevel 1 goto err2

echo calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd.exe set config /section:handlers /+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0']
rem appcmd returns 183 if the setting already exists; ignore and continue
if %errorlevel% EQU 183 goto appcmd2
if errorlevel 1 goto err3

:appcmd2
echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',preCondition='bitness64']
if %errorlevel% EQU 183 goto appcmd3
if errorlevel 1 goto err4

:appcmd3
echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True']
if %errorlevel% EQU 183 goto icaclscmd
if errorlevel 1 goto err5

:icaclscmd
echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1
icacls c:\opt /grant "Users":(OI)(CI)(RX)
rem if errorlevel 1 goto err6

echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >> %temp%\install-shib.txt 2>&1
icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M)
rem if errorlevel 1 goto err6

:restart
echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1
net stop shibd_Default
net start shibd_Default
if errorlevel 1 goto err7

rem return a non-zero exit code for success
:success
exit /b 0

:err1
ECHO msiexec exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err2
ECHO xcopy exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err3
echo appcmd configuring handler exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err4
echo appcmd configuring filter exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err5
echo appcmd enabling filter exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err6
echo icacls setting Shib folder perms exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err7
echo restarting Shib service failed with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

Here are some of the important edits that must be made to the shibboleth2.xml file. First, update the Site line inside of the ISAPI tag to read like this.

<Site id="1273337584" name="myshibbolethsp.cloudapp.net"/>

Next update the RequestMap section to name your host. Note that a Path element is not used, the entire web site is protected.

<Host name="myshibbolethsp.cloudapp.net" authType="shibboleth" requireSession="true"/>

Now set the entityID. This is the host name with the protocol prefix.

<ApplicationDefaults entityID="https://myshibbolethsp.cloudapp.net/"
 REMOTE_USER="eppn persistent-id targeted-id">

Remember to substitute your site’s DNS name and URL in the above edits.

Ensure that SSL is required.

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
 checkAddress="false" handlerSSL="true" cookieProps="https">

You need to specify your IdP’s entityID. I am using the University of Washington’s IdP in this example.

<SSO entityID="urn:mace:incommon:washington.edu">

Last, you must specify the metadata source and signature. The UW is part of InCommon so its metadata is listed there.

<MetadataProvider type="XML" uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
 backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="Signature" certificate="incommon.pem"/>

Note the reference to the incommon.pem file. The metadata signature public key file is one of the files you must add to the Shibboleth-SP folder in your VS project.

Many more customizations of the Shibboleth SP are possible. These posts just scratch the surface WRT using SAML as an authentication protocol and with using the Shibboleth implementation as a Service Provider. There is a wealth of information on the Shibboleth.net site and on blogs and posts around the web.

In the next post I’ll discuss some issues I’ve yet to resolve.

Hosting a Shibboleth SP Web Site in Azure

I explained how to create an Azure cloud service application web role in my prior post. Now I will discuss the steps and code needed to add the Shibboleth Service Provider so that the web site can use SAML for single-sign-on authentication.

Adding an SSL Certificate to the Azure Web Role

SSL is the first layer of defense for an SSO web application. Thus you must obtain an SSL certificate for your web site’s URL. This is a whole topic in itself, so I will skip the details of how to obtain an SSL certificate. The biggest trick seems to be configuring Azure and Visual Studio to not get confused between the remote desktop certificate and the SSL certificate. The Azure instructions for configuring SSL are here. I’ll summarize the most important points below.

  1. If you are creating a test web site, then a self-signed certificate will suffice. Make sure the certificate’s subject CN is set to your web site’s full DNS name. In this example that DNS name would be myshibbolethsp.cloudapp.net.
    1. You will need to have the certificate in a PFX file so it can be uploaded to Azure. This PFX file must contain the certificate’s private key! You will also need the certificate thumbprint.
  2. Modify the cloud service’s service definition and service configuration files as shown in the Azure article.
    1. There are actually two service configuration files, a local and a cloud version. They must both be updated to contain the SSL certificate.
    2. Note that the service configuration files will already have a listing for the remote destkop certificate. The SSL cert entry should be added to this <Certificates> section.
    3. You probably don’t want a non-SSL connection, so remove the HTTP binding and endpoint and replace it with the HTTPS binding and endpoint in the service definition file.
  3. Upload the SSL certificate to your cloud service application.
    1. Go to the Azure Developers’ Portal and click on your cloud service application.
    2. Click on the CERTIFICATES item at the top right of the window.
    3. Click the UPLOAD button at the bottom of the screen.
    4. This opens the “Upload certificate” dialog. Browse for your cert’s PFX file and enter the private key password and click the OK check button.
  4. Now the SSL-modified cloud service application needs to be uploaded to Azure.
    1. I got an error when I tried to upload the app using the VS Publish command: Certificate: ‘myshibbolethsp.cloudapp.net’ with Thumbprint: <…> for Role: WebRole1 has not been uploaded to the cloud service. I had previously uploaded the certificate, but that didn’t seem to help.
    2. Rather than use VS to Publish the app, you can upload the “deployment” package using the Developer Portal. This is the option described in the Azure article above. Perhaps there is a reason they explain doing it in this fashion.
    3. First you need to build the deployment package. In VS, right-click the cloud service project and choose “Package…”. This brings up a small dialog where the Service configuration should be set to “Cloud” and the “Enable Remote Desktop” checkbox should be checked. Click Package.
    4. Go to the Developers Portal and click on your cloud service application. Go to the DASHBOARD and then click the UPDATE button at the bottom of the screen. This brings up the “Update your deployment” dialog which is very similar to the “Custom Create” shown in the Azure SSL article.
      1. Click the FROM LOCAL button to browse to the package file you just built. It should be under your VS cloud service project folder in the bin\Release\app.publish folder.
      2. Do the same thing to locate the configuration file in the same folder.
      3. Make sure the “Update the deployment even if one or more roles contain a single instance” box is checked. Click the OK check button.
      4. You can check the progress of the deployment update from the Developers’ Portal.
  5. Browse to your web site using HTTPS. Fingers crossed! It should work but HTTP should be rejected.

Adding the Shibboleth SP to the Azure Web Role

This post assumes that you have a SAML IdP that will authenticate your test Shibboleth SP. If you need to set up a test IdP, Microsoft has produced a series of videos on how to do this. Of course there is the Shibboleth IdP documentation at shibboleth.net. You should also have downloaded the Shibboleth SP 64-bit Windows/IIS 7 MSI file. Get the latest version from the download site.

  1. Install the Shibboleth SP to your development machine or a local web server. You will need several of the configuration files and it would be best to understand how it works in a local installation. The UW has some great instructions on doing this install.
  2. You have to upload the Shibboleth SP MSI and related files to Azure. To do this, add the files to the VS project.
    1. In VS create a folder under the web role project. Call that folder Shibboleth-SP.
    2. Add the Shibboleth SP MSI file to this folder.
    3. Add a properly configured shibboleth2.xml file to this folder. More on this below.
    4. Add a certificate public key PEM file for the IdP’s metadata signature.
    5. Create a text file in this folder. Name it install-shib.cmd.
    6. You would also need an attribute-map.xml file if you are doing any custom attribute mapping.
    7. All of these files must have their “Copy to output directory” property set to copy-always. You can find this setting on each file’s Properties tab.
  3. Several changes must be made to the shibboleth2.xml file. There is one change that is rather mysterious. The site ID for the cloud service web role must be set to match the site ID in IIS. I found that Azure was setting the site ID to 1273337584. I have no idea why this particular number was used. I’ll discuss this further in my follow-up post.
  4. Modify the service definition file to run the install-shib.cmd startup script. Add the line
    <Task commandLine=”Shibboleth-SP\install-shib.cmd” executionContext=”elevated” taskType=”simple” />
    inside of a <Startup> element following the instructions from Microsoft.
  5. Last, but not least, you need to fill in the startup script. I’ll post the entire script in a subsequent blog post, but here are the notes about what it does.
    1. First, it runs the Shibboleth SP MSI in unattended mode. I am using the default install path which had to be explicitly declared in the version 2.5.1 MSI. I also specify that install logging goes to the temp folder. This article describes how startup logging works.
    2. It then copies files from the Shibboleth-SP directory to the SP install directory. This includes some DLLs that are in the path but that can’t be found by the Shibboleth ISAPI filter for some reason.
    3. The SP MSI relies on the IIS 6.0 compatibility API extension to install the Shibboleth ISAPI filter. The Azure version of IIS does not have this extension installed, so I use the appcmd utility to install and configure the ISAPI filter.
    4. Some file system ACLs are missing so I use the icacls tool to set them.
    5. Finally I restart the Shibboleth service daemon so it will pick up the new Shibboleth2.xml values.
  6. Now you can build and upload this new version of your Azure web application. At this point you should be able to use either method: publish from VS or update from the Developers’ Portal. Note that there is actually a third method that could be used. VS calls out to Azure SDK tools. You could use those tools directly in case you want to have a build script automate the upload and deployment.

Now when you browse to your Azure web site you should be redirected to your IdP’s login page. Once you successfully log in you should be redirected back to your web app. There will now be session variables that contain authentication attributes such as IdP URN, user name, and so on.

Simple, huh? More details to follow. I didn’t say this was going to be easy.

 

Hosting a Web Site as an Azure Cloud Service

I’ve used the Shibboleth Service Provider (SP) for authentication of web applications running on my own IIS web servers. I wrote a simple ASP.Net web site in Visual Studio and configured it to run in IIS and then added the Shibboleth SP to it. This is a fairly straightforward task with much of the work done for you by the Shibboleth SP installer. The only thing that remained to be done after the SP installation was updating some configuration files and registering my SP with my university’s IdP. Having completed this project I wondered if this process could be repeated using Azure as the web hoster.

Shibboleth Service Provider

The Shibboleth SP comes in two flavors: IIS and Apache. As I outlined in my prior post, there are several different options for web hosting in Azure. I could create a virtual machine running either Windows or Linux and install the Apache web server on it. I’m not going down that road for a variety of reasons that I’ve already noted. The simple web site option won’t work because it doesn’t support SSL or startup scripts. That leaves the option of exploring the Cloud Service and its IIS web role to do this Shibboleth SP hosting.

The IIS version of the Shibboleth SP is composed of two parts, an ISAPI filter DLL that intercepts requests before they reach your web application code and a Windows service that maintains SP state. The SP is packaged as an MSI and is installed by the Windows installer. This means that there must be a way to run the MSI on your Azure web host before the web application starts. Fortunately the Cloud Service web role can be configured to run startup scripts. There is another wrinkle to consider. The Shibboleth SP MSI uses the IIS 6.0 compatibility API to install its ISAPI filter. I did a bit of experimenting and discovered that the Azure Windows Server 2012 web role does not have the IIS 6.0 compatibility API installed. Thus additional startup steps are required.

Steps to Create an Azure Cloud Service Web App

The analog to creating a local IIS web app is to create an Azure cloud service web role. To create an Azure web site you need to have an Azure subscription. There are several ways to obtain said subscription. One option is to sign up for a 90-day free trial. If you do this you must cancel within those initial 90 days or charges will begin to accrue. If you have an MSDN subscription, that entitles you to a $100/month subsidy for Azure services. This is a good way to kick the tires and even to run a small web site. Azure only supports two different kind of user login accounts: Live accounts or Office 365 accounts. Since MSDN also requires the use of a Live account, this is a straightforward way to get an Azure subscription.

With a subscription in hand, you can log into the Azure Management Portal using the corresponding Live or Office 365 account. The next step is to create a new web application. The Azure documentation on creating a cloud service is here.

This blog post assumes you are using Visual Studio. The steps I describe apply to both VS 2010 and VS 2012 although the later version has more built-in support.

  1. Install the Windows Azure SDK. The version that is current as of the writing of this post is 2.0. This installs VS templates and extends the VS menus with Azure-specific commands. It also installs Azure libraries and tools.
  2. Open VS and create a new project using the Visual C# Cloud template.
    1. Go with the default .Net framework version. With VS 2010 that is 4.0. With VS 2012, that is 4.5. The .Net version support is one of the biggest differences between VS versions.
    2. You will need to name the project. Use whatever name makes sense to you; this name will not be used by Azure.
    3. Leave the “Create directory for solution” checkbox checked.
    4. After you click OK the “New Windows Cloud Service” dialog will open. It lists 3 ASP.Net web role templates along with others. Choose whichever template you may be familiar with using. If you are not familiar with ASP.Net, then beware; all of these are complex web application templates. I chose the ASP.Net Web Role and discovered that it created several hundred web site files. Yikes! VS does have an “Empty ASP.Net web site” template, but it is not available as one of the cloud service roles. At any rate, you can accept the proposed name of WebRole1 or you can click on the name and an edit icon (a pencil) appears. If you click on the pencil you can rename the web role to something more meaningful to your web application. When you click OK VS whirs away for a while and then presents to you the beginnings of a web application.
    5. Create whatever basic web site functionality you may want. Build it and run it to ensure it works.
  3. Sign up for an Azure account and log in to the Azure Management Portal
  4. Create a Cloud Service application. You can use the quick create option.
    1. You will need to choose a URL. Whatever you choose will be prepended to .cloudapp.net. It is possible to use your own full DNS name, but I won’t go into that here. Rather, you need to choose a name that is unique within the cloudapp.net namespace. For example, if you choose myshibbolethsp, then your web site’s URL will be https://myshibbolethsp.cloudapp.net.
    2. You should select a region that is close to your location to keep latency and transfer time to a minimum.
    3. If you have more than one Azure subscription, you will be asked which to use for this new cloud service.
    4. When you are done you will have an empty cloud service with no running instances.
  5. Now upload your web application to Azure. Go to the Visual Studio Solution Explorer. There will be a cloud service project in addition to the web role project. Right-click on the cloud service project and choose Publish…
    1. This opens the Publish Windows Azure Application wizard. Follow the steps in this MSDN Article to complete the upload.
    2. Choose the option to enable remote desktop. The Azure tools automatically create a remote-session encryption certificate and does the VS and Azure configuration for remote desktop.
    3. It will ask you for a storage account for debugging. You can create one if you don’t already have one. It won’t actually be used unless you add Azure debug logging to your code.
    4. Since this is a test cloud service you can select deploy to production. Staging would have a different URL which will complicate things unnecessarily.
    5. It takes a while to upload the project packages and then start the web role. You can monitor the progress in the VS output pane.
  6. You can try to access the web site after VS says it has successfully deployed. You can also go to the Azure Developer’s Portal to monitor and/or configure your new cloud service application.

Now that you have a running Azure cloud service application, you can configure it for SAML authentication using the Shibboleth SP. I will demonstrate how to do that in my next post.

Hosting Options for a Web Application

In my prior post I discussed SAML as a popular federated authentication protocol standard. To create a SAML-protected web site, in fact, to create any web site, you need to have a web server. You can use almost any type of computer as a web server, but for reasons of reliability and load handling, you’d probably want a server-class machine. Server-class computers are much more expensive than commodity workstation machines. You would probably also be concerned about the ancillary systems such as the networking gear and power conditioning components. For these and may other reasons you may wonder if it would be advantageous to have someone else provide a web server that you could use. This type of service is commonly termed web hosting.

Editorial Note: I dislike using the term “cloud” to describe what is nothing more than hosted services. That is, services that are running in someone else’s data center. Technical people love latching on to buzzwords. These are terms that get used way beyond their technical origins and often to the point where they become meaningless. Despite my objections, it is difficult to discuss Microsoft hosting services without using the word “cloud.”

So, I’d like to create a web site whose content is protected by SAML authentication. What are my options? First off, I’ll use the Shibboleth open-source service provider as the SAML software for the web site. Then I’d like to have someone else host it so I don’t have to invest in server-class infrastructure. What are my hosting choices?

Software as a Service

Software as a Service, abbreviated SAAS, is very common and most people have used it. Imagine a software application that runs on your computer such as Microsoft Word/Office or Intuit’s Turbo-Tax. Office 365 and Turbo-Tax Online are SAAS versions of those programs. Other common examples of SAAS include Hotmail, G-Mail and Google Docs.

Infrastructure as a Service

There are a number of hosting providers that allow you to upload a virtual machine. They will run it for you on a virtual server and will provide the networking and related components. This is IAAS. You build your own web server, either physically or within your own virtualization environment. You then author a web application using a framework supported by your web server and configure this web server as needed to run the application. Finally you upload the virtual server image of your web server to the IAAS provider. Thus you provide and configure the operating system, the web server service, and any libraries or other programs needed by your web application. You also have to provide the health and load monitoring of your web application. You do all of the work to create a web server and someone else supplies the infrastructure to run that web server. IAAS can host nearly any type of server that communicates over a network.

Platform as a Service

PAAS falls in between SAAS and IAAS. The PAAS vendor provides a virtual environment that includes an operating system and a web server service and related support services such as monitoring. There are no clean lines, it is a continuum such that it is difficult to say precisely where PAAS stops and SAAS begins. I like to think that if it requires writing computer code, then it is PAAS. Thus services like BlogSpot and WordPress seem to be more SAAS than PAAS.

Microsoft Windows Azure

A number of companies offer variations on these hosting services. As I mentioned earlier, Microsoft Office 365 is an example of SAAS. I used to work on Microsoft’s Azure, so I will discuss some of its hosting services. Azure provides both PAAS and IAAS options. Azure can host your virtual machines; that is their IAAS offering. Azure has two PAAS variations that they term Web Sites and Cloud Services. The web site service is new and is currently limited to vanilla ASP.Net web sites that cannot employ SSL/TLS. The cloud service variation is much more powerful and configurable. More about that in a moment. Azure also offers a number of supporting services which includes SQL databases, high availability no-SQL storage, networking services such as VPN and event messaging, and directory services and this list is growing on a nearly monthly basis.

Azure Cloud Services

An Azure cloud service allows you to create instances of two different roles; a web server role and a worker role. The idea is that a sophisticated web application will need front end services to process web requests (the web role) and back end services to do extended processing (the worker role). The typical scenario would have a web role field a request for some “thing” that is part of the web application. The web role would then queue up a request to the worker role to get that “thing.” The queued request would include the address to which the response should be directed. The worker role would do whatever processing is needed (say, do a cart check-out) and then post an item to the response queue with the results. A web role instance would read the response queue in between handling requests so that the results can be sent back to the requesting web browser.

Communications Infrastructure

Azure provides a number of mechanisms that web roles and worker roles can employ for communications.

  • Azure storage provides highly-available and fault-tolerant storage. There are 3 copies of all datum stored in a data center and, if needed, the data can be replicated between Azure data centers.
    • Blob storage – allows the storage of very large datums, each with a unique address. You could build a photo-sharing site using blob storage for the photos.
    • Table storage – on-the-fly table creation using standard .Net datatypes for each table column. One element of a row must be declared to be the unique key for the table. This is much lighter-weight storage than a SQL database but it comes with limited indexing and searching capabilities and no relational operations.
    • Queue storage – supporting the standard push, pop, and peek operations and perfect for the introductory example web/worker role communications
  • Azure Drives – this is actually a variation of blob storage where you upload an NTFS-formatted virtual hard drive (VHD) to your blob storage and then mount this as a drive in your azure role
  • SQL Azure – SQL database instances that you can create and use in your Azure cloud service roles
  • Azure Service Bus – this is a set of services that offers event messaging, queues, and message forwarding
  • Virtual Private Network – create a VPN that can be used by all of your Azure cloud service roles and can optionally connect to your local network

Azure Cloud Service Role Details

A cloud service role is composed of instances where you must have one or more running instances to be operational. This is one of the largest advantages of using Azure as a hosting provider. If the load on your application increases, you can add more instances simply by making a configuration change in the Management Portal. Azure handles the work of finding space for the new instances, starting them up, and configuring them in the load balancer. The load balancer will automatically distribute traffic to all of the running instances.

Azure cloud service roles have some unique characteristics that differentiate them from conventional on-premise servers.

  • Not domain joined – Azure roles are all stand-alone, thus there are no shared service identities; most intra-Azure communications is secured using shared secrets
  • Role instances run as VMs and can be stopped and restarted without warning by the Azure fabric controller in cases of hardware or other failure; for this reason:
    • Applications must be stateless or store state off-machine to Azure storage or SQL Azure
    • Conventional logging to files or the event log will be lost if the instance gets recycled; you can use an Azure library to log to Azure storage
  • Each instance is on the public internet by virtual of the load balancer mapping internal IPs to public IPs
    • There is a per-machine Windows firewall
    • Can use Azure VPN to connect role instances together if secure direct TCP communications is needed
  • Limited out-of-the-box configuration but can install and configure additional software by the use of startup scripts
    • The startup scripts run each time an instance is recycled or updated; thus a complex startup script will slow role startup
  • Can configure per-instance remote desktop for inspection and debugging

Azure roles are tightly coupled to ASP.Net. IIS is the default web server. You can choose the version of Windows Server you’d like to use. This also implies the version of IIS and the .Net framework. Azure currently offers the use of Windows Server 2008 SP2, Server 2008 R2, or Server 2012.

The Azure SDK extends Visual Studio with cloud service templates and publication support and provides a development simulation of the Azure run-time environment. Thus you can develop and test an Azure application on your desktop and then upload it to Azure all without leaving Visual Studio.

Next time: hosting a Shibboleth SP web application in Azure.

 

Dueling Federation Standards

The nice thing about standards is that there are so many from which to choose. That may be a cliché, but it certainly applies to federated authentication protocols. There are several widely adopted protocols in use including SAML, WS-Federation, OAuth and OpenID. The first two are based on SOAP (Simple Object Access Protocol) messages carried over HTTP and are OASIS proposed or ratified standards. The latter two are non-SOAP REST HTTP protocols and are standards-track but not yet standardized.

SAML stands for Security Assertion Markup Language. The OASIS standard is composed of a set of specifications for assertions, protocols, bindings, profiles, metadata, etc. There is a community developed, open source implementation from the Shibboleth Consortium that is in wide use in higher education and elsewhere. SAML version 1.0 was ratified as a standard in 2002. The current version 2.0 of the standard was ratified in 2005.

WS-Federation is part of the Web Services Security (WSS) set of proposed and accepted standards which includes WS-Trust and WS-Security. Microsoft and IBM both contributed to the design of the standards and employ them in their federation software. The Microsoft implementations use either SAML versions 1.1 or 2.0 security tokens. To the best of my knowledge there is no open source reference implementation.

Although both of these standards share the same token format, the wire protocols are not compatible so that interoperation is not possible.

OpenID is a newer identity federation protocol specification. It is rapidly evolving due to early versions having significant security weaknesses. Several major web vendors, including Google and Yahoo!, implement OpenID authentication systems.

OAuth is technically not a federated authentication protocol. Rather, it is an authorization framework. It is typically employed in situations where one user is granting limited access to his or her protected resources to another user.

OpenID Connect is a protocol framework that incorporates the features of OpenID 2.0 and OAuth 2.0 in an API-friendly fashion. It employs elements that are compatible with REST including JSON Web Tokens (JWT) for the transmission of user attributes (a.k.a. claims or assertions).

Each federation standard defines several roles or components and they all function in a similar fashion. First there is an identity provider (IdP) that stores and verifies user identities. Technically the IdP is the protocol layer that lies in front of an authentication system such as Open LDAP or Active Directory. An IdP is also known as a security token service (STS). Then there is the web application that requires user authentication. Such an application is known as a service provider (SP) or relying party (RP). The standards define the function and format of the IdP and SP components.

So, which of these is the best? Well, it depends. The SAML standard has a non-proprietary and proven implementation in Shibboleth and it meets the needs of most web applications. The WSS protocols are widely used in business software. There are some advantages to designing a web API using REST-ful conventions rather than SOAP. A REST-ful API precludes the use of a SOAP-based authentication mechanism. However, the OpenID technologies are immature such that implementations vary in their interpretation of the protocols and many have suffered from significant security vulnerabilities. Time will tell if OpenID authentication evolves into a trusted and widely used technology. Note: when a large business like Microsoft or Google or Facebook adopts a technology, that technology can become a de facto standard. In the case of OpenID, their versions are slightly different, so hopefully a real standard will emerge through the standards development process.

Federated Identity

Identity is a tough nut. We all know who we are but even in the physical world a raft of documentation is required to prove your identity to others. The Obama birth certificate is a perfect example of just how complex identity can be. In the virtual world the situation is much worse because of the ease at which bad actors can impersonate others. Even a casual user of the Internet will end up with identity information stored in multiple places protected by nothing more than a password. Your identities are only as safe as your passwords. A diligent person will use complex passwords and have different passwords for each web site/identity-store. This quickly gets unmanagable. Federated identity is proposed as a solution to this problem where you have a single identity provider which is trusted by other web properties to vouch for who you are.

That sounds like a great idea; one identity trusted by multiple services. The reality turns out to be a mess though because everyone wants to be that one trusted provider of your identity. To make matters worse there is no agreement on the protocols to be used for this identity federation. The aim of this blog is to discuss the pros and cons of the federated identity choices and to dive into security, privacy and programming considerations.