Using Active Directory with Microsoft Azure

Question

I'm researching whether or not it makes sense for my company to use Azure for some outward facing applications. We need it to integrate with Active Directory so that it knows who they are without having to login to the site, kind of a single sign-on. Has anyone done anything like this or what tools I'd need to use to do it?

To elaborate a little, currently all of our intranet apps use Window Authentication with AD groups to determine who has what access and what level of access they have to the apps. So, once they log onto their machines, they don't have to login again to access any of our home grown apps. We're looking at using the Cloud but we want to keep the same login paradigm if at all possible. Ideas?

Thanks, Jeremy

Answer 1

You can federate AD to Azure - you will need at least 1 server (on premise) running Windows Server 2008 R2 to get the ADFS bits (code name was Geneva). Then on the Azure side, you use the Azure App Fabric authentication (http://msdn.microsoft.com/en-us/windowsazure/netservices.aspx).

Answer 2

An observation on Pat's answer:

Then on the Azure side, you use the Azure App Fabric authentication (http://msdn.microsoft.com/en-us/windowsazure/netservices.aspx).

That is not necessarily correct. In the simplest form, which looks like what Jeremy needs, the web site on Windows Azure would simply trust the local ADFS server on-premises. To do this you would use WIF (Windows Identity Foundation).

This scenario is extensibly described in multiple documents (e.g. http://claimsid.codeplex.com)

A scenario in which you would use Windows Azure AppFabric (the latest CTP) is one in which the app would trust multiple identities simultaneously, and Appfabric would act as an "Identity Hub".