The Microsoft Hosting team has received partner feedback that in order to meet the CSP Identity Requirements, significant development efforts would be needed in order to make existing web portals and web apps compliant.
Using publicly shared information, the CSP Identity Requirements and coding/testing efforts, the Microsoft Hosting technical team developed new identity guidelines for our partners, which allows them to easily modify existing portals and web apps in a compliant manner.
This guidance enables partners to create identity relationships with their customers via Azure Access Control Service (ACS). Once created, a customer will browse to a partner’s portal and enter their username.
ACS is an Azure service that provides an easy way for an organization to authenticate tenant users to access their web applications and services without having to add complex authentication logic to the code.
The following features are available in ACS:
- Integration with Windows Identity Foundation (WIF).
- Support for popular web Identity Providers (IPs) including Microsoft accounts (formerly known as Windows Live ID), Google, Yahoo, and Facebook.
- Support for Active Directory Federation Services (AD FS) 2.0.
- An Open Data Protocol (OData)-based management service that provides programmatic access to ACS settings.
- A Management Portal that allows administrative access to the ACS settings.
The code will re-direct the user to a page that allows them to login via the identity relationship, pre-populating the username. This is the same process used when Microsoft employees access Office 365 services and, outside of the page redirection, seamless to the user. The user will enter their password, which will authenticate against Azure AD. Once authenticated, the user will land in the partner’s customer facing portal.
Above: CSP and Authentication Stages using Azure Access Control Services (ACS)
Partners can choose to add logic in the code that can determine if the user is enabled for Microsoft Online Services or not. If not, redirect the user to enter their password for authentication in the partner’s environment.
This process allows partners to retain their significant investments in existing portals, authenticate non-Microsoft customers in a traditional manner and authenticate Microsoft Online Services enabled users in a compliant manner.
For more information about Cloud Identity Management for CSP Partners, please download this document which details how it is implemented using the Azure Portal and various identity providers.
Links:
- Hosting Service Provider Community on Yammer
- CSP Cloud Identity Guidance Document
- Microsoft Cloud Solution Provider Program