Managed Namespaces
Updated: June 19, 2015
Applies To: Azure
A managed namespace is an Access Control namespace that is partially managed by another service. These Access Control namespaces are similar to standard Access Control namespaces, except that their managed settings cannot be viewed or edited, and you cannot use an application-specific certificate to sign tokens for a relying party application.
Examples of Managed Namespaces
Azure Service Bus uses a dedicated Access Control namespace to control access to the Service Bus service. These namespaces are characterized by a "-sb" in the namespace name.
Azure Cache uses a dedicated Access Control namespace to control access to the Cache service. These namespaces are characterized by a "-cache" in the namespace name.
Managed Settings
Token-Signing Certificates and Keys—Token-signing certificates and keys for the namespace are managed automatically. In the ACS Management Portal, these certificates and keys are hidden and users cannot add new token-signing certificates or keys at the namespace level. In the management service, clients are not able to read or write to the ServiceKeys table.
Token-decryption certificates are automatically managed. In the ACS Management Portal, these certificates are hidden and users cannot add new token-decryption certificates.
When you add a new relying party application to a managed namespace, the certificated and key process depends on the type of relying party that you are adding:
Microsoft-managed relying party applications in a managed namespace, such as a Service Bus relying party in a Service Bus namespace or a cache namespace, must use the certificates and keys for the namespace. If the tokens that are issued to Microsoft-managed relying party applications in managed namespaces are signed with an application-specific (dedicated) certificate or key, authentication does not work properly.
When you add a Microsoft-managed relying party application to a managed namespace, such as a Service Bus relying party in a Service Bus namespace, select the Use service namespace certificate (standard) option that directs ACS to use the certificate for all applications in the managed namespace.
.png "Use Service Namespace")
On the Certificates and Keys, page, do not select Add Token Signing Certificate. If you are required to enter a certificate or key, such as when using SWT protocol, enter the required information, and then, after saving, return to the page and delete the application-specific certificate or key.
When you add a custom relying party application that you manage, select the Use a dedicated certificate option to create an application-specific certificate or key . Do not rely on the ACS-managed certificates and keys that are configured for the entire namespace. If you do, the certificates and keys expire, typically within a year, and you cannot renew them. Managed namespaces are not intended to be used for custom solutions. Instead, use standard Access Control namespaces.
Decryption Certificates—Token-decryption certificates are automatically managed. In the ACS Management Portal, these certificates are hidden and users cannot add new token-decryption certificates. In the management service, clients are not able to read or write to the ServiceKeys table.
Managed namespaces are not intended to be used for custom solutions, as are regular Access Control namespaces.