ACS Architecture
Updated: June 19, 2015
Applies To: Azure
This topic outlines the architecture and key components of Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS).
.png "ACS v2 Architecture")
Security Token Service
The ACS Security Token Service (STS) is the set of endpoints that issue tokens to your relying party applications. In other words, STS is the service that ACS uses to provide federated authentication to your web applications and services. ACS supports a variety of protocols that allow it to be accessed from any web platform including .NET Framework, WCF, Silverlight, ASP.NET, Java, Python, Ruby, PHP, and Flash.
ACS supports the following protocols:
OAuth WRAP
OAuth 2.0
WS-Trust
WS-Federation
For more information, see Protocols Supported in ACS.
ACS supports the following security token formats:
JSON Web Token (JWT)
SAML 1.1
SAML 2.0
Simple Web Token (SWT)
For more information, see Token Formats Supported in ACS.
The URI’s to specific endpoints can be obtained through the ACS Management Portal. URI’s can be used for different tasks. For example:
The WS-Federation Metadata endpoint URI can be used when integrating web applications with ACS. WS-Federation metadata can be consumed by a WIF application (or other WS-Federation-compliant application) in order to share certificate information and automate configuration.
The ACS Management Service endpoint URI can be used when programmatically managing an Access Control namespace with the ACS Management Service. For more information, see ACS Management Service.
ACS 2.0 Management Portal
The ACS Management Portal is a web-based user interface that ACS administrators can use to manage the configuration settings of a specific Access Control namespace. For more information, see ACS Management Portal.
Management Service
The ACS Management Service makes it possible for you to manage ACS programmatically, using the Open Data (OData) protocol. For more information, see ACS Management Service.
Token Transformation Rule Engine
The ACS rule engine is used to process the input claims that are present in the security tokens that ACS receives from clients and to generate output claims that are present in the security tokens that ACS issues to relying party applications. For more information, see Rule Groups and Rules.