The IssuerNameRegistry class provides a name service that returns the issuer name of a given token. WIF provides a ConfigurationBasedIssuerNameRegistry to demonstrate an easy way to get started, but it is recommended that developers write a custom implementation that derives from the IssuerNameRegistry class.

ConfigurationBasedIssuerNameRegistry takes in an X509 security token and returns an issuer name if the certificate thumbprint of the certificate is in the ConfiguredTrustedIssuers. ConfigurationBasedIssuerNameRegistry should first be configured with ConfiguredTrustedIssuers, which is a list of trusted issuers. ConfiguredTrustedIssuers is a dictionary of certificate thumbprints and issuer names.

Although the IssuerNameRegistry is the logical place to reject untrusted, unknown, or invalid issuers, keep in mind that the token handlers enforce PeerOrChainTrust validity on issuer certificates by default, so any similar checks in the IssuerNameRegistry will be redundant.

Note that Issuer is now of type String. This allows the issuer to be represented in a more descriptive manner and authentication and authorization decisions to be made based on string value returned from the IssuerNameRegistry. It is recommended that developers use the IssuerNameRegistry as a trust decision point to reject unknown or untrusted issuers as soon as possible in the authentication pipeline.

The IssuerNameRegistry has three methods, which are called by default from the various token handlers. GetIssuerName is called for client certificate authentication on the issuer certificate of an incoming X509SecurityToken.

GetIssuerName is called for SAML issued token authentication on the signing certificate of an incoming SAML 1.1 or SAML 2 token. The string parameter is the requested issuer name from the “Issuer” in the SAML token.

GetWindowsIssuerName is called during Windows authentication, and during map to Windows scenarios where additional Windows claims are added to the client’s identity.