With different components (management portal for administrators, Service Management API, Service Provider Foundation, and VMM) involved in delivering the VM Clouds service, it is imperative that communication happens over secure channels between each component. The following illustration shows how a user is authenticated between the management portal for administrators, Service Management API, Service Provider Foundation, and VMM.
1. A user, without claims, accesses the portal.
2. Portal redirects the user to the Secure Token Service (STS).
3. STS redirects the user to a login page
4. The user enters the credentials in the login page
5. The user is authenticated against the STS
6. In response, the STS issues a claim token to the user
7. The user uses the claims to access the portal
8. The portal passes on the claims to the Service Management API.
9. The user is then authenticated with Service Provider Foundation using basic authentication. The Service Management API addresses Service Provider Foundation through basic authentication as an admin, but passes tenant subscription and user ID information to Service Provider Foundation.
10. Service Provider Foundation validates requests using role metadata stored in the Service Provider Foundation database. Once it is verified that a requestor has access to the scope and specific objects in the request, Service Provider Foundation uses credentials for the underlying service application pool (provided during Service Provider Foundation installation) to perform management tasks on behalf of the requestor. This service application pool account must already be an administrator on the VMM server.