There are three classes that define the configuration for Windows® Identity Foundation (WIF):

  1. ServiceConfiguration. This class is used to configure a relying party application, which consumes tokens.

  2. SecurityTokenServiceConfiguration. This class is used to configure an STS, which both consumes and issues tokens. SecurityTokenServiceConfiguration, which is concerned with issuing tokens, derives from ServiceConfiguration, which is concerned with consuming tokens.

  3. The SecurityTokenHandlerConfiguration class represents shared settings common to all token handlers. This is a property on the SecurityTokenHandlerCollection class, and can also be specified on individual security token handlers if a finer degree of customization is required.


ServiceConfiguration has the following properties:

  • ClaimsAuthenticationManager. This is used for authenticating or transforming the incoming claims.

  • ClaimsAuthorizationManager. This is used to determine whether the user’s request is authorized. It is invoked when the user uses declarative permissions, for example, if they decorate a method with the ClaimsPrincipalPermissionAttribute attribute.

  • IssuerNameRegistry. This translates a security token to a friendly token issuer name in the form of a string. An IssuerNameRegistry is used to validate trusted issuers, typically represented by X509 certificates.

  • IssuerTokenResolver. This is used to resolve the issuer token, which represents the token that signed the incoming token presented to the relying party application.

  • SecurityTokenHandlerCollectionManager. This is a collection of token handler collections based on usage. By default it contains the following collections: the default collection, ActAs, and OnBehalfOf. ActAs and OnBehalfOf scenarios are used during token issuance, so these token handlers do not need to be configured by relying party applications. A relying party STS (RP-STS) that consumes a request for security token (RST) that contains an ActAs or OnBehalfOf token must have these token handlers configured.

  • SecurityTokenHandlers. This is the default token handler collection in SecurityTokenHandlerCollectionManager.

  • ServiceCertificate. This represents the service’s decryption certificate that is used for decrypting tokens.

  • ServiceConfigurationName. This is the name of the service, as defined in the configuration file. It defaults to an empty string.


In addition to the properties it inherits from ServiceConfiguration, SecurityTokenServiceConfiguration has the following properties:


SecurityTokenService.Scope Class

The Scope class contains information about a Relying Party (RP). You can extend the Scope class to contain additional information, such as token types accepted by the RP, default token lifetime, maximum token lifetime, algorithm suites used by the RP, and so on. The information in this class should not vary for individual requests.