There are three classes that define the configuration for Windows® Identity Foundation (WIF):

1. ServiceConfiguration. This class is used to configure a relying party application, which consumes tokens.
   
   
2. SecurityTokenServiceConfiguration. This class is used to configure an STS, which both consumes and issues tokens. SecurityTokenServiceConfiguration, which is concerned with issuing tokens, derives from ServiceConfiguration, which is concerned with consuming tokens.
   
   
3. The SecurityTokenHandlerConfiguration class represents shared settings common to all token handlers. This is a property on the SecurityTokenHandlerCollection class, and can also be specified on individual security token handlers if a finer degree of customization is required.
   
   

ServiceConfiguration has the following properties:

• ClaimsAuthenticationManager. This is used for authenticating or transforming the incoming claims.
  
  
• ClaimsAuthorizationManager. This is used to determine whether the user’s request is authorized. It is invoked when the user uses declarative permissions, for example, if they decorate a method with the ClaimsPrincipalPermissionAttribute attribute.
  
  
• IssuerNameRegistry. This translates a security token to a friendly token issuer name in the form of a string. An IssuerNameRegistry is used to validate trusted issuers, typically represented by X509 certificates.
  
  
• IssuerTokenResolver. This is used to resolve the issuer token, which represents the token that signed the incoming token presented to the relying party application.
  
  
• SecurityTokenHandlerCollectionManager. This is a collection of token handler collections based on usage. By default it contains the following collections: the default collection, ActAs, and OnBehalfOf. ActAs and OnBehalfOf scenarios are used during token issuance, so these token handlers do not need to be configured by relying party applications. A relying party STS (RP-STS) that consumes a request for security token (RST) that contains an ActAs or OnBehalfOf token must have these token handlers configured.
  
  
• SecurityTokenHandlers. This is the default token handler collection in SecurityTokenHandlerCollectionManager.
  
  
• ServiceCertificate. This represents the service’s decryption certificate that is used for decrypting tokens.
  
  
• ServiceConfigurationName. This is the name of the service, as defined in the configuration file. It defaults to an empty string.
  
  

In addition to the properties it inherits from ServiceConfiguration, SecurityTokenServiceConfiguration has the following properties:

• SecurityTokenService. Gets or sets the type of the SecurityTokenService.
  
  
• DefaultSymmetricKeySizeInBits. Gets or sets the default key size in bits used in the issued token. This applies only to issued tokens that contain a symmetric key.
  
  
• DefaultMaxSymmetricKeySizeInBits. Gets or sets the default key size limit in bits used check if the KeySize specified in the request is within this limit. This applies only to issued tokens that contain a symmetric key.
  
  
• DefaultTokenLifetime. Gets or sets the default lifetime used in the issued tokens.
  
  
• DefaultTokenType. Gets or sets the default token type used in token issuance.
  
  
• MaximumTokenLifetime. Gets or sets the maximum token lifetime for issued tokens.
  
  
• SigningCredentials. Gets or sets the signing credentials.
  
  
• TokenIssuerName. Gets the issuer name so that it can be reflected in the issued token.
  
  
• TrustEndpoints. Gets the list of endpoints to enable for WS-Trust.
  
  
• WSTrust13RequestSerializer. Gets or sets the WS-Trust 1.3 Request (RST) serializer.
  
  
• WSTrust13ResponseSerializer. Gets or sets the WS-Trust 1.3 Response (RSTR) serializer.
  
  
• WSTrustFeb2005RequestSerializer. Gets or sets the WS-Trust Feb 2005 Request (RST) serializer.
  
  
• WSTrustFeb2005ResponseSerializer. Gets or sets the WS-Trust Feb 2005 Response (RSTR) serializer.
  
  

For details about the SecurityTokenHandlerConfiguration class, see Token Handler Configuration.

The Scope class contains information about a Relying Party (RP). You can extend the Scope class to contain additional information, such as token types accepted by the RP, default token lifetime, maximum token lifetime, algorithm suites used by the RP, and so on. The information in this class should not vary for individual requests.