This project is read-only.

Release Notes - October Labs Release

The October 2010 Labs release of Access Control Service contains the following breaking changes:

Default signing certificate and key now available

In the September release, customers were required to add their own certificates and keys to sign tokens issued by Access Control Service. In the October release, a default certificate and a default symmetric key are provisioned when a new service namespace is created. Users no longer need to upload a certificate to sign tokens or access ACS WS-Federation metadata.

Management service credentials

In the September release, the key that was required to access the management service endpoint was represented as a Service Identity. In the October release, this default Service Identity has been removed. A new key type has been added specifically for using the management service, which can be configured using the "Management Credentials" section of the ACS portal. The username required to access the management service has remained unchanged (“ManagementClient”). In OData, these credentials are represented as a new KeyUsage (“Management”) and new KeyType (“Password” or “Symmetric”) in the ServiceKeys Table. 

Claim type change for service identities and Windows Live authentication

Access Control Service will now emit a claim with type “NameIdentifier” for clients authenticated using a service identity or Windows Live. The September release used to emit a “Name” claim type.


Access Control Service now uses the Facebook Graph API to support Facebook as an identity provider.

Visible changes include:

  • Facebook identity provider configuration now requires an Application ID in addition to Application Secret, as opposed to an API Key and Application Secret. Additionally, an Application Permissions field (optional) is now available that allows additional extended permissions to be requested.
  • The session key and session secret claim types are no longer emitted from Facebook identity providers. Instead, an access token claim is generated.
  • The value of the IdentityProvider claim emitted by Access Control Service is now “Facebook-<FacebookApplicationId>” for Facebook identity providers

Endpoint changes

WS-Trust endpoints have been separated based on incoming token key type. The new endpoint paths are:

  • v2/wstrust/13/issuedtoken-asymmetric
  • v2/wstrust/13/issuedtoken-bearer
  • v2/wstrust/13/issuedtoken-symmetric

This change is breaking only for customers that don’t use MEX endpoint to generate clients

Schema changes for OData client

Property name in schema

Type of change


IdentityProvider.LoginParameters [string, optional]


Comma (,) separated list of extended permissions for Facebook. The list of permissions is described at

Delegation.IdentityProvider [string, mandatory]


Value of this property will be used to emit identity provider claim(type is in an OAuth2 delegated access token

Delegation.Scope [string, optional]


Value of this property will be emitted in an OAuth2 delegated access token as Scope claim (type is and in addition to that it will be sent in OAuth2 Access Token response "scope" parameter

ServiceIdentity.RedirectAddress [string,optional]


Value of this property is used only in OAuth2 delegated scenario. This value is verified against the client redeeming AuthorizationCode. Value defined in client "redirect_uri" parameter has to match exactly its own service identity redirect address. This value is mandatory for enabling OAuth2 delegation scenario

Rules. InputClaimValue


Input claim values are now case sensitive

Properties [table]



IdentityProviderKeyNames [table]



RelyingPartyKeyNames [table]



IdentityProvider.CertRevocationCheck [string, optional]



ClaimType.DisplayName [string, optional]



RelyingParty. SymmetricTokenEncryptionRequired [bool, optional]



Rules.RuleType [string, mandatory]





Last edited Oct 28, 2010 at 6:17 PM by asmalser, version 3


No comments yet.