Service Identities

Updated: June 19, 2015

Applies To: Azure

In Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS), a service identity is a credential that is registered with an Access Control namespace and is intended for use by autonomous applications or clients. In other words, service identities are credentials that are configured globally for the Access Control namespace that allow applications or clients to authenticate directly with ACS and receive a token. An Access Control namespace may contain many service identities.

In ACS, service identities are usually used for authenticating an autonomous application or client with an Access Control namespace and thereby grant that autonomous application or client access to the relying party application.

Note

Rule groups that are associated with relying party applications exclusively define which service identities are accepted for which relying party applications.

Service identities are not intended to be used as end-user credentials. In ACS, service identities are most commonly used in REST web service scenarios, over the OAuth WRAP protocol, where a client requests a SWT token directly from ACS to present to the web service.

Credential Types

The following are the credential types that an ACS service identity can be associated with:

  • Symmetric key—This credential is used in signed SWT token requests to ACS over the OAuth WRAP or the OAuth 2.0 protocols or in signed JWT token requests to ACS over the OAuth 2.0 protocols. In other words, this credential allows autonomous applications or clients to authenticate with ACS by issuing a SWT or a JWT token and signing that SWT or JWT token with a symmetric key.

  • Password—This credential allows autonomous applications or clients to authenticate with ACS by transmitting this credential to an Access Control namespace. Password credentials are sent in plaintext token requests to ACS over the OAuth WRAP or the OAuth 2.0, or the WS-Trust protocols.

  • X.509 Certificate—An X.509 Certificate credential allows autonomous applications and clients to authenticate with ACS via the WS-Trust protocol (certificate authentication).

For more information and detailed steps about how to add service identities with the credentials previously described using the ACS Management Portal, see How to: Add Service Identities with an X.509 Certificate, Password, or Symmetric Key.

See Also

Concepts

ACS 2.0 Components