Share via


ACS Management Service API Reference

An entity data model organizes the Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) configuration data into records of entity types (or entities) and the associations between them. The data model is described in the OData Service Metadata Document for each namespace is at: https://<namespace>.accesscontrol.windows.net/v2/mgmt/service/$metadata, where <namespace> is the name of the Access Control namespace.

This XML-based OData document uses a conceptual schema definition language (CDSL) to describe the available data. You can download this document and use it to generate typed classes in your code. The following table describes the ACS entity types.

Note

The following applies to ID properties of all of the entities in the table: ACS IDs are not permanent; they can change as a result of upgrades to the ACS service. Your applications should not cache or rely on the value of ACS IDs.

Entity Description

ClaimType

Represents claim types imported from the WS-Federation metadata of WS-Federation identity providers. This is used primarily to populate the list of supported claim types for each identity provider in the ACS Management Portal.

Conditional Rule

Represents a rule with two input claims. For more information, see Rule Groups and Rules.

Delegation

Represents a list of clients that have been granted delegated access in OAuth 2.0 delegation scenarios.

IdentityProvider

Represents an identity provider. For more information about identity providers, see Identity Providers.

IdentityProviderAddress

Represents a URI that is associated with an identity provider. Supported URI types include SignIn, SignOut, EmailDomain, ImageURL, and FedMetadataURL.

IdentityProviderClaimType

Represents the list of ClaimType entities that are supported by the identity provider.

IdentityProviderKey

Represents certificates and keys associated with the identity provider. This typically includes token validation certificates imported from the identity provider’s WS-Federation metadata or keys input directly into the ACS configuration (such as Facebook application keys).

Issuer

Represents a claims issuer that is another representation of an identity provider that is used specifically by the ACS rules engine. ACS also has its own built-in issuer, named LOCAL_AUTHORITY, which is the issuer for claims output by ACS. Every identity provider has an associated issuer and every issuer that’s not LOCAL_AUTHORITY has an associated identity provider.

Note

If you delete the issuer, it automatically deletes the associated identity provider.

RelyingParty

Represents a relying party application. For more information about relying party applications, see Relying Party Applications.

RelyingPartyAddress

Represents a URI that is associated with a relying party application. Supported URI types include Realm, Reply (Return URL), and Error (Error URL).

RelyingPartyIdentityProvider

Represents which identity providers are associated with which relying party applications in a given Access Control namespace.

RelyingPartyKey

Represents certificates and keys associated with a relying party application. This includes token signing certificates and symmetric keys associated directly with the application, in addition to encryption certificates.

RelyingPartyRuleGroup

Represents the list of RuleGroup entities that are associated with the relying party application.

Rule

Represents a rule. For more information about rules, see Rule Groups and Rules.

RuleGroup

Represents a rule group. For more information about rule groups, see Rule Groups and Rules.

ServiceIdentity

Represents a service identity. For more information about service identities, see Service Identities.

ServiceIdentityKey

Represents credentials associated with service identities. This includes X.509 certificates, symmetric keys, and passwords.

ServiceKey

Represents certificates and keys assigned to the Access Control namespace. This includes token signing certificates and symmetric keys, token decryption certificates, and Management Service credentials for the default ManagementClient account. This does not include certificates and keys explicitly assigned to a relying party application, identity provider, or service identity.