Editable trusted Root CA List in ACS
Today SAML Tokens which are signed using a certificate issued by a local CA cannot be validated and are therefore rejected by ACS. This is because ACS only trusts Root CAs which are on the out-of-the-box windows trusted CA List. It would be very useful for ACS Customers to decide for themselves which Root-CA they trust or not.
The Azure Active Directory team has aligned its resources behind services in Azure Active Directory. This effort will eventually replace functionality available in ACS. The blog post – http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx – provides a high-level overview of this transition. The ideas posted around ACS have been collected and passed the team. We will close out ideas posted around ACS to return votes used on this topic. Please feel free to post additional ideas here, and/or email me directly – firstname.lastname@example.org.
The Azure Active Directory team greatly appreciates the feedback. We look forward to hearing from the community as much as possible. It is one of the essential ways we can continue to create and enhance our service offerings to meet your needs. Thank you.
Joseph Crandall commented
Microsoft clearly supports full director-integrated PKI and self signed ca's and pushes that solution for on-premise products, but they don't provide that same basic feature set in aws.
please add it so we can compete with other cloud solutions.
Eric Raff commented
Very much agree. In our env, we have multiple relying parties (on prem) that are currently configured with our token signing cert. Right now I am being forced to change my adfs token signing cert so I can work with 1 ACS service provider. This means I would then need to update all of my internal relying parties to accept a new self signed cert from ADFS to get this ACS service provider to work with our env. Not excited about that. Allow ACS Customers the ability to add identity providers token signing cert per service please.
Philipp Hintermann commented
Would be very useful.