How to: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key
Updated: June 19, 2015
Applies To: Azure
Applies To
- Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS)
Summary
Service Identities are a type of credential configured globally for the Access Control namespace that allows applications or users to authenticate directly with ACS and receive a token. Service identities are used most commonly in REST web service scenarios using the OAuth WRAP protocol, where a client requests a SWT directly token from ACS to present to the web service.
Contents
Objectives
Overview
Step 1 - Add a Service Identity with a Password
Step 2 - Add a Service Identity with a Symmetric Key
Step 3 - Add a Service Identity with an X.509 Certificate
Related Items
Objectives
Enumerate types of service identity credentials.
Map credentials types to token formats and protocols.
Overview
There are three types of service identity credentials:
Passwords—Passwords are used in plaintext token requests to Access Control Service using the OAuth WRAP protocol. The password field corresponds to the wrap_password parameter in an OAuth WRAP v0.9 token request, where the username field corresponds to the wrap_name parameter.
Symmetric Keys—Symmetric keys are used in signed SWT token requests to Access Control Service using the OAuth WRAP protocol. This symmetric key is used to create the HMACSHA256 signature in the signed SWT token presented to Access Control Service.
X.509 Certificates—X.509 certificates (public key only) are used to validate the signature of signed SAML token requests made ACS using the WS-Trust protocol.
Summary of Steps
Step 1 - Add a Service Identity with a Password
Step 2 - Add a Service Identity with a Symmetric Key
Step 3 - Add a Service Identity with an X.509 Certificate
Step 1 - Add a Service Identity with a Password
To add a service identity with a password credential type
On the Access Control Service management portal, click Service Identities.
Click Add Service Identity.
In the Name field, enter a name for the service identity. This will be the username value used in the token request.
Click Save.
On the next page, click Add Credential.
In the Display name field, provide a value.
In the Type field, select Password.
In the Password field, enter a password.
In the Effective date field, set the date at which this credential will take effect.
In the Expiration date field set the date at which this credential will expire.
Click Save.
Step 2 - Add a Service Identity with a Symmetric Key
To add a service identity with a symmetric key credential type
On the Access Control Service management portal main page, click Service Identities.
Click Add Service Identity.
In the Name field, enter a name for the service identity.
Click Save
On the next page, click Add Credential.
In the Display name field, provide a value.
In the Type field, select Symmetric Key.
In the Key field, click Generate to automatically generate a random 256-bit symmetric key. Or, enter your own 256-bit symmetric key.
In the Effective date field, set the date at which this credential will take effect.
In the Expiration date field, set the date at which this credential will expire.
Click Save.
Step 3 - Add a Service Identity with an X.509 Certificate
To add a service identity with an X.509 certificate credential type
On the Access Control Service management portal main page, click Service Identities.
Click Add Service Identity.
In the Display name field, enter a name for the service identity.
Click Save.
On the next page, click Add Credential.
In the Name field, provide a value.
In the Type field, select X.509 Certificate.
In the Certificate field, browse to load an X.509 certificate (.cer file) that contains the public key required to valid token signatures.
Click Save.