ACS Architecture

Updated: June 19, 2015

Applies To: Azure

This topic outlines the architecture and key components of Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS).

ACS v2 Architecture

Security Token Service

The ACS Security Token Service (STS) is the set of endpoints that issue tokens to your relying party applications. In other words, STS is the service that ACS uses to provide federated authentication to your web applications and services. ACS supports a variety of protocols that allow it to be accessed from any web platform including .NET Framework, WCF, Silverlight, ASP.NET, Java, Python, Ruby, PHP, and Flash.

ACS supports the following protocols:

  • OAuth WRAP

  • OAuth 2.0

  • WS-Trust

  • WS-Federation

For more information, see Protocols Supported in ACS.

ACS supports the following security token formats:

  • JSON Web Token (JWT)

  • SAML 1.1

  • SAML 2.0

  • Simple Web Token (SWT)

For more information, see Token Formats Supported in ACS.

The URI’s to specific endpoints can be obtained through the ACS Management Portal. URI’s can be used for different tasks. For example:

  • The WS-Federation Metadata endpoint URI can be used when integrating web applications with ACS. WS-Federation metadata can be consumed by a WIF application (or other WS-Federation-compliant application) in order to share certificate information and automate configuration.

  • The ACS Management Service endpoint URI can be used when programmatically managing an Access Control namespace with the ACS Management Service. For more information, see ACS Management Service.

ACS 2.0 Management Portal

The ACS Management Portal is a web-based user interface that ACS administrators can use to manage the configuration settings of a specific Access Control namespace. For more information, see ACS Management Portal.

Management Service

The ACS Management Service makes it possible for you to manage ACS programmatically, using the Open Data (OData) protocol. For more information, see ACS Management Service.

Token Transformation Rule Engine

The ACS rule engine is used to process the input claims that are present in the security tokens that ACS receives from clients and to generate output claims that are present in the security tokens that ACS issues to relying party applications. For more information, see Rule Groups and Rules.

See Also


ACS 2.0 Components