Published: April 7, 2011
Updated: June 6, 2013
Applies To: Windows Azure
A managed namespace is an Access Control namespace that is partially managed by another service. These Access Control namespaces are similar to standard Access Control namespaces, except that their managed settings cannot be viewed or edited, and you cannot use an application-specific certificate to sign tokens for a relying party application.
Token-Signing Certificates and Keys—Token-signing certificates and keys for the namespace are managed automatically. In the ACS Management Portal, these certificates and keys are hidden and users cannot add new token-signing certificates or keys at the namespace level. In the management service, clients are not able to read or write to the ServiceKeys table.
When you are adding a relying party application to a managed namespace, such as a Service Bus namespace, do not enter application-specific (dedicated) certificates or keys. Instead, select the options that directs ACS to use the certificates and keys that are configured for all applications in the managed namespace.
Tokens issued to relying party applications in managed namespaces, such as Service Bus namespaces, must be signed with the digital certificate or symmetric key for the namespace. If these tokens are signed with an application-specific (dedicated) certificate or key, authentication does not work properly.
In the ACS Management Portal, use the following guidance when selecting options for relying party applications in managed namespaces.
On the Edit Relying Party Application page, in the Token Signing Setting section, select Use Service Namespace Certificate (Standard).
On the Certificates and Keys, page, do not select Add Token Signing Certificate.
If you are required to enter a certificate or key, such as when using SWT protocol, enter the required information, and then, after saving, return to the page and delete the application-specific certificate or key.
Decryption Certificates—Token-decryption certificates are automatically managed. In the ACS Management Portal, these certificates are hidden and users cannot add new token-decryption certificates. In the management service, clients are not able to read or write to the ServiceKeys table.
Managed namespaces are not intended to be used for custom solutions, as are regular Access Control namespaces.
Examples of Managed Namespaces
Windows Azure Service Bus uses a dedicated Access Control namespace to control access to the Service Bus service. These namespaces are characterized by a "-sb" in the namespace name.
Windows Azure Cache uses a dedicated Access Control namespace to control access to the Cache service. These namespaces are characterized by a "-cache" in the namespace name.
ConceptsAccess Control Namespace