This project is read-only.


Access to Memento resources is based upon claims model, and Memento has been designed to use Microsoft Windows Azure Access Control Service (ACS) as as federation provider for authentication tokens.

This is how it works:

  1. The Memento client requests a resource from the Web API (the "Relying Party").
  2. Since the request is not yet authenticated, the RP redirects the user to the authority that it trusts, which is ACS. The ACS presents the user with the choice of IPs that were specified for this RP. The user selects the appropriate IP.
  3. The client browses to the IP's authentication page, and prompts the user to log on.
  4. After the client is authenticated (for example, the identity credentials are entered), the IP issues a security token.
  5. After issuing a security token, the IP directs the client to send the security token that the IP issued to ACS.
  6. ACS validates the security token issued by the IP, inputs the identity claims in this token into the ACS rules engine, calculates the output identity claims, and issues a new security token that contains these output claims.
  7. ACS directs the client to send the security token that ACS issued to the RP. The RP validates the signature on the security token, extracts claims for use by the application business logic, and returns the page that was originally requested.

Last edited Sep 2, 2013 at 2:12 PM by mattsalmon, version 4


No comments yet.