I recently went through the exciting process of setting up our SanSpug.org site to support various authentication mechanisms (LiveID, Google, Federated Auth, etc). I started off using Azure Access Control Services (ACS) because I thought it had everything I could ever want in a login aggregation platform. However, I soon realized that it just wasn't able to meet the simple needs of a small SharePoint User Group. And now that I know it can't meet those needs, I doubt it really meets the needs of large organizations either.
A bit about ACS
To be fair, ACS was the first of its kind. I remember when it was first released, it was sooooo cool. It really was. I built some cool labs off of it (the old UI), then the UI "disappeared" (at least, the link was gone from Azure at one point), only to reappear again in the latest incarnations. ACS isn't a part of the main Azure portal. It has its own interface, which has confused me to this day being that all the other services are moving into the current portal. Here's a screen shot of the two:
Why they are separate probably has to do with (put some random excuse here, but likely because of "legacy" configurations). It would make much more sense that Azure added ACS as its own separate application in the Azure Portal.
So what can we do with ACS? If you are familiar with ADFS, then you get the point. I can created "Identity Providers", "Relaying party applications" and claims rules between the two. The latter being one of the strengths of ACS (Quick history lesson, ADFS 1.0 was a real piece of junk, that left only one option, that option being ACS. It could do all the things that ADFS 2.0 was about to do). So what kinds of identity providers can we add? Well, here they are:
Hmm, interesting. So they have preconfigured providers for LiveID, Google and Yahoo. Fair enough, those don't actually need an application (client id and client secret) created for them. But "Facebook". Ummm, that one needs an app created for it to do federated auth. Ok, let's do it. Added a facebook app used to be fairly easy back in the day, now the UI sucks. And the process to get a simple "App Stub" created requires a canvas page? Whatever. Fail on facebook's part. Ok, back to ACS. So they are allowing us to do federated auth to OAuth providers. Ok. So how do I add others? Like Twitter? Maybe Yammer? Oh…YOU CAN'T! But you can do WS-Federation all day long. Boring. Oh, did I mention the Google one doesn't work anymore? Yeah, Google seems to have disabled the interface that ACS was using.
Ok, so ACS is dead "to me". So what do I do now? Do I build my own? Ugg, that means I need to register an app in EVERY possible OAuth provider on the planet. Similar hoops to jump through (approve the app, screen shots, canvas page, terms…ugg, no thank you).
Let's do some research, maybe someone built a better ACS? Maybe someone did all that work to register an app EVERYWHERE? After a few google searches, some tweets…I find….Auth0.com.
Auth0 is the ACS killer. I have no doubt that after the right people at Microsoft see what they have built, Auth0 will be picked up in a M&A transaction. I'm going to tell the guys to hold out and get 4-5 offers and bid the price up. I have no doubt, they will go for $100Ms in a liquidity event. So why are they so cool? Because you can add ANYTHING! Check this $^&%^% out! Database, Social and Enterprise:
Database (think ASPNETDB – this is a biggy for SP2015 by they way):
Social (oh right…ACS gives us…Facebook…totally lame):
Wait…do you see the one at the bottom? Yeah…that's SharePoint Apps for on-premises (courtesy of Chris Beckett consulting services). Oh…do you see the O365 and Windows Azure AD one? Oh yeah…that's Azure AD Apps…umm, so why are you using ACS again?
Telemetry and Metrics
Are you freaking kidding me? ACS would never have thought this up. You get telemetry on when and how your users are logging in:
The logs are also pretty sweet:
You see the profile JSON response in the Logs that contains the Access Token (if provided) so if you need to debug something, you have everything you need!
Wait…it gets better (but maybe a bit confusing for you that haven't been doing this stuff for a while). In addition to allowing your Apps access to all these federated OAuth platforms, it itself is an App registry. You can create your App in the Auth0 interface, which is then exposed as a WS-Federation end point!!! Holy $%&^&$^! Forced to use ACS, but you think it sucks like I do? Hey…add your Auth0 WS-Federation endpoint, and just like one of those "I saw it on TV adds", "Set it and forget it!":
Oh baby…if they weren't already ahead of the competition. This is the future. Forget about all those APIs you have to write to and learn. Why bother with the auth parts? All you need is to call the API and get that JSON response back. Here's what they support:
Do you have some ACS rules? Yeah, they support that too…what they don't have is an ACS rule importer. That would be so slick. Easily migrate from crappy old ACS, to shiny new Auth0:
Just to add insult to injury…woah…custom emails…custom whatever! When someone hits your fed auth endpoint…send em an email based off the claims!
Is ACS Dead? Yeah, to me it is. To the masses that didn't know any better, consider yourself educated. As the word spreads, I'm sure there will be a mass ACS exodus very soon!