Manage Certificates and User Roles in Service Provider Foundation


Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 R2 Orchestrator

Service Provider Foundation provides a claims-based authentication security model for a tenant's access to services and resources. It registers the certificate's public key and issuer name from an issued certificate, and maintains that information as trusted issuer objects.

To provide secure multi-tenant operations, requests are performed in the context of a user role that maps a claim token from a tenant to a Tenant Administrator User Role or to a Tenant Self-service User Role. These user roles must be defined in System Center 2012 – Virtual Machine Manager (VMM) including their scope, resources, and actions.

Hoster administrators can use the Service Provider Foundation OData services to create the required infrastructure. For more information, see the Service Provider Foundation Developer's Guide.

A typical on-boarding tenant scenario is as follows:

  1. A prospective tenant investigates a hoster's services by evaluating the offered plans.

  2. The prospective tenant subscribes to a plan (offer objects in Service Provider Foundation), which generates a new subscription in a portal application and creates a new tenant in the Service Provider Foundation database.

    During this process, a tenant uploads the public key for their certificate file. This lets the host to register the tenant and configure user security roles in Virtual Machine Manager.

  3. The portal applications and hoster administrators configure a tenant's connections to the hoster’s service by using the service OData protocol URLs and tokens verified with the tenant's certificate that contains the private key.

Hoster administrators can also use the IDs generated by Service Provider Foundation cmdlets that create tenant or tenant user roles as the ID values for the corresponding VMM cmdlets that create actual user roles. The Service Provider Foundation cmdlets do the following:

  • Generate the ID for a Tenant Administrator User Role when a tenant is created by using the New-SCSPFTenant cmdlet.

  • Generate the ID for a Tenant Self-Service User Role when a tenant user role is created by using the New-SCSPFTenantUserRole cmdlet.

Multi-tenancy is additionally aided by new feature capabilities that are available in Windows Server 2012 such as Network Virtualization.

Managing certificates and user roles topics

Other resources for this component