One major drawback of Webapplications in the Cloud compared to Intranet applications is the availability of Active directory. One solution is the usage of social networks (like Google, FaceBook, Twitter, Yahoo, Windows Live) to validate users.
You know if the user is the one he tells you he is, but you still have to handle the authorization yourself. That is not always very handy, because your are not really in control for the authentication. Especially if the users are employees of your company, then you want them to login with your corporate account of course.
Modern companies nowadays use Office 365 (Microsoft’s SAAS solution for Office, Exchange en SharePoint in de Cloud). The employees have an account and it would be nice if they could use this account to access your application.
On the Windows Azure portal we had already an Active Directory menu item. Behind it is the familiar Windows Azure Access Control service. Via this mechanism people can be authenticated via the known social networks (Google, FaceBook, Yahoo and Windows Live). More info was already on this blog: http://blogs.msmvps.com/marcelmeijer/blog/2012/05/04/windows-azure-wif-access-control-acs/.
My own test site http://cloudtest.marcelmeijer.net shows the usage.
But this example also uses Office 365 as authentication provider. With my Office 365 account on the Joep-IT domain I can login on the site.
Via the Claims mechanism of ACS we get some data back. Which we can use in the application etc.
This sounds great, but still no real Active directory. With Active directory we want to create/add users with data and roles.
Since some time now there is a on Office 365 based Active Directory available. We create a Directory, on this moment just a new <name>.onmicrosoft.com Office 365 account. It will be possible in the future to use my existing and own Joep-IT Office 365 account.
Via the SDK you can create a graph and query the data of the Active directory and use it for real. Super!
Now I can add users.
The new user gets an e-mail with a temporary password.
But what if you already have an on-premise Active directory, does that mean you have to administrate things double? For ACS we had already AD-FS (Active Directory Federation Services). With this your locale AD users could be available in the Cloud. But again not completely optimal. The ‘new’ Active directory offers your better possibilities to sync your on-premise AD with the Cloud AD.
To the Cloud AD applications can be added.
Which is great. I will come back with more details later!