Protocols Supported in ACS

Updated: June 19, 2015

Applies To: Azure

Once Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) creates a security token, it uses various standard protocols to return it to relying party applications. The following table provides descriptions of the standard protocols used by ACS to issue security tokens to your relying party applications and services.

Protocol name Description

WS-Trust 1.3

WS-Trust is a web service (WS-*) specification and Organization for the Advancement of Structured Information Standards (OASIS) standard that deals with the issuing, renewing, and validating of security tokens, as well as with providing ways to establish, assess the presence of, and broker trust relationships between participants in a secure message exchange. ACS supports WS-Trust 1.3.

For more information about WS-Trust and WS-Federation, see Understanding WS-Federation (


WS-Federation extends WS-Trust by describing how the claim transformation model inherent in security token exchanges can enable richer trust relationships and advanced federation of services. WS-Federation also includes mechanisms for brokering the identity, discovering and retrieving attributes, authenticating and authorizing claims between federation partners, and protecting the privacy of these claims across organizational boundaries. These mechanisms are defined as extensions to the Security Token Service (STS) model defined in WS-Trust.

For more information about WS-Trust and WS-Federation, see Understanding WS-Federation (

OAuth WRAP and OAuth 2.0

Open Authorization (OAuth) is an open standard for authorization. OAuth allows users to hand out tokens, instead of credentials, to their data hosted by a given service provider. Each token grants access to a specific site for specific resources and for a defined duration. This allows a user to grant a third-party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.

Web Resource Authorization Protocol (WRAP) is a profile of OAuth, also called OAuth WRAP. While similar in pattern to OAuth 1.0, the WRAP profiles have a number of important capabilities that were not previously available in OAuth. The OAuth WRAP profiles allow a server hosting a protected resource to delegate authorization to one or more authorities. An application (client) accesses the protected resource by presenting a short-lived, opaque, bearer access token obtained from an authority. There are profiles for how a client may obtain an access token when acting autonomously or on behalf of a user. For more information, see How to: Request a Token from ACS via the OAuth WRAP Protocol.

OAuth WRAP has been deprecated in favor of the OAuth 2.0 specification, which is the next evolution of the OAuth protocol. OAuth 2.0 focuses on client developer simplicity, while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. For more information about OAuth WRAP, see OAuth Web Resource Authorization Profiles draft-hardt-oauth-01 ( For more information about OAuth 2.0, see The OAuth 2.0 Protocol draft-ietf-oauth-v2-13 (

See Also


ACS Architecture
ACS 2.0 Components