4

It appears that the ACS has IDP-style features within the "Service Identities" section. How does the ACS treat these in comparison to a real IDP? What is missing?

Some examples I'm thinking of include: Account Lockout, Auditing, Token Replay, etc. These come more into light when comparing the credentials to a "real" IDP such as CA SiteMinder, ADFS 2.0, and Ping

  • Given the contrasting examples, what is ACS + Service Identities missing?

  • What features matter?

  • What is the resulting intended (or non intended use) AS-IS today?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

3

From my testing I have only found one reason to use a Service Identity as opposed to a real IDP, and that is with OAuth Delegation.

When an OAuth Delegate-e authenticates with the ACS, it requires a redirect URL after the ACS returns. This property is stored within the Service Identity and is only visible by the API and not visible by code.

Considering that Microsoft doesn't want to be an IDP for your applications. They rather have OpenID, LiveID, Facebook, Gmail, Yahoo, or ADFSv2 (user/pass, 2-factor, or certificate) handle authentication.

Disclaimer

Considering that I'm answering my own question I'm interested in hearing other people's opinion and experience. I just want to share this information regarding OAuth Delegation

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    I think you are correct. I run screaming from oauth every chance I get, so I've only glanced over the service identity bits. The only other thing I can think of is if you are looking to delegate management identities, but it is cumbersome to do so. – Steve May 11 '11 at 15:37
  • @SteveS What are your concerns about OAuth? Perhaps it warrants a separate question; if the interest is broad enough. If I do, then I won't phrase it *"Why does OAuth cause SteveS to run screaming?"* – makerofthings7 May 11 '11 at 15:43
  • I don't have a valid reason, it just feels insecure. :) – Steve May 11 '11 at 17:53