Access
Control resources are defined in your service namespace and are used to
define the federation schemes, rules, token issuers, and policies that
help realize claims-based identity federation and mapping in the cloud.
This section covers ACS resource concepts and the tools required to
interact with these resources.
Acm.exe is a command-line
tool shipped with the AppFabric SDK. You can perform CREATE (C), READ
(R), UPDATE (U), and DELETE (D) operations on your namespace's ACS
resources (scopes, issuers, token policy, and rules). Acm.exe uses the
management API to interact with the ACS. The source code for ACM.exe is
included in the SDK. You can use the source code as a starting point to
build your own web or executable application to interact with ACS. You
can find the Acm.exe usage options in the AppFabric ACS documentation
at http://msdn.microsoft.com/en-us/library/ee706706.aspx.
Some developers at Microsoft have also released a sample Windows client
application called ACS Management Browser, which is available at http://code.msdn.microsoft.com/acmbrowser.
ACS resources have a hierarchical structure, with your account at the top of the hierarchy. The ACS hierarchy is illustrated in Figure 1.
The ACS hierarchy consists of three main levels: AppFabric account, service namespace, and resources.
1. Service Namespace
A service namespace
is a collection of ACS resources like rules sets, issuers, scope, and
token policy. From a resources perspective, the service namespace is
the root of the resource tree. An account can contain many service
namespaces. All the resources under the service namespace can belong to
only one single service namespace—you can't share resources across
multiple service namespaces. You can create a service namespace from
the management portal by clicking the Add Service Namespace link, as
shown earlier.
2. Token Policy
A token policy defines
the token expiration and signature key of ACS-issued tokens. This
policy can be associated with more than one scope. Typical parameters
for a token policy are as follows:
You can create a token policy using the Acm.exe tool, as follows:
acm.exe create tokenpolicy -name:<Token Policy Name> -autogeneratekey -
host:accesscontrol.windows.net -service:<Service Namespace>
-mgmtkey:<Management Key>
<Token Policy Name>
is an alphanumeric name for the token policy. You can get the service
namespace and the management key from the Management Portal. When you
execute the command, ACS returns a token policy ID that you can use as
a parameter in other operations such as deleting a token policy or
creating a scope.
You can also use the Access Control Management browser to create token policies. Figure 2 shows the user interface to create token policies.
3. Scope
A scope
is a collection of rules used by ACS to map input claims to output
claims. ACS uses the scope URI to group rules. When you submit a
request to the scope URI, ACS checks for the applies_to parameter and
generates output claims if both the URIs matches. One service namespace
can contain many scopes. The typical parameters required to interact
with the scope resource are as follows:
AppliesTo: The URI of the resource to which this scope applies
RuleSets/Id: The ID of the rule set for the scope
TokenPolicyId: The ID of the token policy associated with the scope
To create a scope with the Acm.exe tool, use the following command:
acm.exe create scope -name:<Scope Name> -appliesto:<Applies To>
-tokenpolicyid:<Token Policy
Id> -host:<Host> -service:<Service Namespace> -mgmtkey:<Management Key>
Host
is the host name of the management service (most likely
accesscontrol.windows.net), -mgmtkey is the management key from the
Management Portal, and -tokenpolicyid is the token policy ID returned
when you created a token policy.
When you create a scope, ACS
returns a scope ID that you should record for further operations like
deleting a scope and creating rules. You can also use the Access
Control Management browser to create scopes. Figure 3 shows the user interface to create scopes.