Brian Swan has a follow-up post to his introductory look at access control in Azure AppFabric applications with a bit more in-depth look at some of the settings to help you refine your controls.

I will again build a barpatron.php client (i.e. a customer) that requests a token from the AppFabric access control service (ACS) (the bouncer). Upon receipt of a token, the client will present it to the bartender.php service (the bartender) to attempt to access a protected resource (drinks). If the service can successfully validate the token, the protected resource will be made available.

You'll need to have an Azure instance set up and have already set up the scripts from his previous post to follow along. He updates the scripts to enhance with token checking and allowing the "patron" to request a token. Complete code is available for download.