There are three classes that define the configuration for Windows® Identity Foundation (WIF):
- ServiceConfiguration. This class is used
to configure a relying party application, which consumes
- SecurityTokenServiceConfiguration. This
class is used to configure an STS, which both consumes and issues
tokens. SecurityTokenServiceConfiguration, which
is concerned with issuing tokens, derives from ServiceConfiguration, which is concerned
with consuming tokens.
- The SecurityTokenHandlerConfiguration class
represents shared settings common to all token handlers. This is a
property on the SecurityTokenHandlerCollection class,
and can also be specified on individual security token handlers if
a finer degree of customization is required.
ServiceConfiguration has the following properties:
- ClaimsAuthenticationManager. This is
used for authenticating or transforming the incoming claims.
- ClaimsAuthorizationManager. This is used
to determine whether the user’s request is authorized. It is
invoked when the user uses declarative permissions, for example, if
they decorate a method with the ClaimsPrincipalPermissionAttribute
- IssuerNameRegistry. This translates a
security token to a friendly token issuer name in the form of a
string. An IssuerNameRegistry is used to validate trusted
issuers, typically represented by X509 certificates.
- IssuerTokenResolver. This is used to
resolve the issuer token, which represents the token that signed
the incoming token presented to the relying party application.
This is a collection of token handler collections based on usage.
By default it contains the following collections: the default
collection, ActAs, and OnBehalfOf. ActAs and OnBehalfOf scenarios
are used during token issuance, so these token handlers do not need
to be configured by relying party applications. A relying party STS
(RP-STS) that consumes a request for security token (RST) that
contains an ActAs or OnBehalfOf token must have these token
- SecurityTokenHandlers. This is the
default token handler collection in SecurityTokenHandlerCollectionManager.
- ServiceCertificate. This represents the
service’s decryption certificate that is used for decrypting
- ServiceConfigurationName. This is the
name of the service, as defined in the configuration file. It
defaults to an empty string.
- SecurityTokenService. Gets or sets the
type of the SecurityTokenService.
- DefaultSymmetricKeySizeInBits. Gets or
sets the default key size in bits used in the issued token. This
applies only to issued tokens that contain a symmetric key.
- DefaultMaxSymmetricKeySizeInBits. Gets
or sets the default key size limit in bits used check if the
KeySize specified in the request is within this limit. This applies
only to issued tokens that contain a symmetric key.
- DefaultTokenLifetime. Gets or sets the
default lifetime used in the issued tokens.
- DefaultTokenType. Gets or sets the
default token type used in token issuance.
- MaximumTokenLifetime. Gets or sets the
maximum token lifetime for issued tokens.
- SigningCredentials. Gets or sets the
- TokenIssuerName. Gets the issuer name so
that it can be reflected in the issued token.
- TrustEndpoints. Gets the list of
endpoints to enable for WS-Trust.
- WSTrust13RequestSerializer. Gets or sets
the WS-Trust 1.3 Request (RST) serializer.
- WSTrust13ResponseSerializer. Gets or
sets the WS-Trust 1.3 Response (RSTR) serializer.
- WSTrustFeb2005RequestSerializer. Gets or
sets the WS-Trust Feb 2005 Request (RST) serializer.
- WSTrustFeb2005ResponseSerializer. Gets
or sets the WS-Trust Feb 2005 Response (RSTR) serializer.
The Scope class contains information about a Relying Party (RP). You can extend the Scope class to contain additional information, such as token types accepted by the RP, default token lifetime, maximum token lifetime, algorithm suites used by the RP, and so on. The information in this class should not vary for individual requests.