Release Notes - December Labs Release
The December 2010 Labs release of Access Control Service contains the following changes:
Trust Management Changes
The December release changes how the lifecycles of token signing and token decryption certificates are managed in an Access Control Service namespace. These certificates now support a “Primary” flag, which allows administrators
to manually specify which certificate is active at any given time. This allows the effective dates for these certificates and keys to overlap, during which both will be published in the WS-Federation metadata for the service namespace. Relying party applications
can subsequently import data about new certificates in advance of a rollover.
In addition, the ACS Management Portal now supports importing WS-Federation metadata for individual relying party applications.
Error Message Changes
The error codes and error messages produced by Access Control Service have been overhauled to provide more troubleshooting details and diagnostics information. This includes errors produced by the various ACS protocol endpoints,
as well as the management portal.
In addition, the December release includes a new feature that allows relying party applications to render custom error pages for errors that occur during the end-user sign-in process. This can be configured using a new “Error URL” field that
is available when adding and editing relying party applications. When configured, ACS will post information about errors that occur during sign in to this URL, which can be a page hosted on the relying party application that renders a custom error page.
Management Portal Changes
The December release includes the following changes to the ACS Management Portal:
- The Relying Party Applications section now supports importing application settings using WS-Federation metadata.
- The Relying Party Applications section now supports setting an “Error URL”, which is the URL error details will be sent when an error occurs during user sign in. If no URL is provided, a page hosted by ACS will display
the error information.
- In the “Certificates and Keys” section, Token Signing and Token Decryption certificates and keys now support a “Primary” flag which determines whether or not they are actively in use.
- A new “Portal Administrators” section allows new ACS administrators to be configured without requiring manual edits to the Access Control Management relying party application and rule group.
- The “Management Credentials” section has been replaced with a “Management Service” section that allows multiple management service accounts to be created.
- The Access Control Management relying party application and rule group are now hidden in the management portal. These are now configured in the portal using the new “Portal Administrators” and “Management Service”
sections, however they are still directly accessibly via the management service.
- Display names for passwords, symmetric keys, and certificates have been deprecated.
Management Service Changes
The December release includes the following breaking changes to the ACS Management Service:
- Federation Metadata address for importing the IdentityProviders was updated from “/v2/mgmt/service/importFederationMetadata” to “/v2/mgmt/service/importFederationMetadata/importIdentityProvider”
- Importing RelyingParties from Federation Metadata is now supported, the address is “/v2/mgmt/service/importFederationMetadata/importRelyingParty”
- Policy and PolicyRuleGroup removed
- RelyingPartyRuleGroup added
- Password property in ServiceKey updated from string to byte
- InputClaimIssuerId property in Rule renamed to IssuerId
- Name property removed from IdentityProvider
- Issuer and IssuerID property added to IdentityProvider
- ProtocolType property in IdentityProvider renamed to WebSSOProtocolType
Below are known issues with some of the new features introduced in the December labs release. These issues have fixes planned for a forthcoming release.
- Namespace does not finish activating if the supplied name is between 45 and 50 characters
– When creating an AppFabric namespace, the maximum length for the namespace name is now 44 characters, down from 50 characters in previous releases. If you attempt to create a namespace with a name whose length is between 45 and 50 characters,
an error will not be displayed but the namespace will never finish the activation process. As a workaround, create a namespace whose name contains 44 characters or less.
- Issues with importing WS-Federation metadata for a relying party application
– There are two issues with importing WS-Federation metadata for a relying party application:
- WS-Federation metadata currently cannot be imported using a URL, and doing so will result in an unexpected error message. As a workaround, copy the application's WS-Federation metadata to a file, and select the "File"
option to upload it instead.
- WS-Federation metadata will not be imported if the “Token encryption policy” field is set to “Require Encryption” in the relying party application form, as this setting requires
a certificate to be uploaded separately. As a workaround, import the WS-Federation metadata with the “Token encryption policy” field is set to “none”. Then, edit the relying party application again to set the “Token encryption
policy” field to “Require Encryption”.
- Secondary token decryption certificates –
When adding a second token decryption certificate for the service namespace and setting is as “Primary”, the original certificate will incorrectly remain published in the WS-Federation metadata. As a workaround,
only use one token decryption certificate in this release.
- Facebook and offline_access permissions- When configuring Facebook as an identity provider, end user login to Facebook will fail with a 400 error code if the “offline_access”
permission is added in the “Application permissions” field in the management portal. As a workaround, avoid adding the “offline_access” permission.