Service Limitations

  • Certificate size is limited to 4 KB
  • Rule engine performs 10 executions at max
  • Rules query result is limited to 100
  • Using signing certificate other than default one may cause ID4175 error
  • ACS v2 entities quotas

Certificate size is limited to 4 KB

If you are trying to upload a certificate of size larger than 4 KB you receive error message: "Sorry, an unexpected error occurred while processing your request. HTTP Error Code: 500."

The workaround is to limit the size of the certificate to a size of under 4 KB.

Rule engine performs 10 executions at max

Rule and rule group execution stops when no new claims are issued after an execution completes, or ten executions have completed (whichever comes first).

Rules query result is limited to 100

When working with Management Service to query rule groups for rules you are limited to 100 rules per query result. 

Only fetching 100 objects at a time (paging) is correct OData behavior. Expected page size for each of our entities are as follows:

Rule 100
Everything Else 50

Use the code similar to the follwing to receive continuation of the rest of the rules:

            List<Rule> allRules = new List<Rule>();
            var queryResponse = svc.Rules
		.Expand("Rules")
		.AddQueryOption("$filter", "Name eq '" + ruleGroupName + "'").Execute();
            allRules.AddRange( queryResponse.ToList() );

            // Get the rest of the rules
            while ( null != ( (QueryOperationResponse)queryResponse ).GetContinuation() )
            {
                DataServiceQueryContinuation<Rule> continuation =
                    ( (QueryOperationResponse<Rule>)queryResponse ).GetContinuation();
                queryResponse = svc.Execute( continuation );
                allRules.AddRange( queryResponse.ToList() );
            }

Using signing certificate other than default one may cause ID4175 error

When using your own signing certificate you may receive “ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.” 

This is behavior by design. Federation metadata uses default signing keys of the namespace. To resolve the issue you need to manually update thumbprint attribute value of trustedIssuer element of the issuerNameRegistry section to match your signing certificate that you uploaded to your ACS namespace.

ACS v2 quotas

Following are ACS v2 entities quotas per namespace:

  • 200         Service Identities
  • 100         Identity Providers
  • 200         Relying Parties
  • 1000       Rule Groups
  • 8000       Rules

Notice, these quotas related to labs environment and can be changed in the future. 

Last edited Feb 22, 2011 at 9:07 PM by alikl, version 8

Comments

No comments yet.