4. Issuer
An issuer
is the issuer of an input token to ACS. In ACS, an issuer consists of a
set of cryptographic key materials that service consumers use when
authenticating with ACS. The cryptographic keys can be either a pair of
Base64-encoded 32-byte keys or an X.509 certificate. X.509 certificates
are specifically used to authenticate SAML tokens created by ADFS 2.0.
One service namespace can contain many issuers.
To create an issuer with the Acm.exe tool, use the following command:
acm.exe create issuer -name:<Friendly Issuer Name> -issuername:<Issuer Name> -
autogeneratekey -host:<Host> -service:<Service Namespace> -mgmtkey:<
Management Key>
<Friendly Issuer Name> is a display name for the issuer, and <Issuer Name>
is the value used by the STS to validate the input issuer value. After
an issuer is created, ACS returns an IssuerID that you should record
for further operations like deleting an issuer and creating rules. You
can use other parameters to specify the algorithm, certificate, and key.
You can also use the Access Control Management browser to create an issuer. Figure 4 shows the user interface to create issuers.
5. Ruleset
Rulesets are collections
of rules. Every scope contains exactly one ruleset. In the current
(AppFabric November 2009 CTP) release, a ruleset resource is
automatically created and associated with a scope. You can't create
rulesets using the management service API in this release.
6. Rule
The ACS rules engine
is the core differentiator of the ACS from any technology currently
available in the cloud. The rules define the mapping between input
claims and output claims and as a result abstracts the input claims
coming from different token providers into a single view in the form of
an SWT token. The output claims are included in the final SWT token
created by ACS. A rule must be associated with a ruleset. In the
current release (AppFabric November 2009 CTP), a ruleset is
automatically associated with a scope and shares a common identifier.
To create a rule with the Acm.exe tool, use the following command:
acm.exe create rule -name:<Rule Name> -scopeid:<Scope ID> -
inclaimissuerid:<Issuer ID> -inclaimtype:<Input Claim Type> -inclaimvalue:
<Input Claim Value> -outclaimtype:<Output Claim
Type> -outclaimvalue:<Output Claim Value> -host:
accesscontrol.windows.net -service:<Service Namespace> -mgmtkey:<Management Key>
The parameters are as follows:
scopeid: The scope in which this rule belongs. The scopeid is output by ACS when you create a new scope using Acm.exe.
inclaimissuerid:
The ID of the input claims issuer. An input claims is defined as a
type/value pair. The issuer ID is output by ACS when you create a new
Issuer.
inclaimtype: The type of the claim included in the token by the token issuer (such as ADFS v.2.0). The ACS maps inclaimtype to outclaimtype.
inclaimvalue:
The value of the input claim type defined by the inclaimtype parameter.
This value is included as part of the token issued by the issuer and
sent to ACS.
outclaimtype: The type of claim issued by ACS in the SWT.
outclaimvalue: The value of the claim defined in the outclaimtype. This value is included by ACS in the SWT it issues.
passthrough: Optional. If included, the ACS includes input claims as output claims in the issued token.
You can also use the Access Control Management browser to create a rule. Figure 5 shows the user interface to create rules.
In this section, you saw how
to create resources in ACS that can be used for claims-based
authentication and authorization in federated scenarios. The next
section covers the programming aspects of using ACS in your solution.