WsFederationOptions Class
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Configuration options for WsFederationHandler
public ref class WsFederationOptions : Microsoft::AspNetCore::Authentication::RemoteAuthenticationOptionspublic class WsFederationOptions : Microsoft.AspNetCore.Authentication.RemoteAuthenticationOptionstype WsFederationOptions = class
inherit RemoteAuthenticationOptionsPublic Class WsFederationOptions
Inherits RemoteAuthenticationOptions- Inheritance
Constructors
| WsFederationOptions() |
Initializes a new WsFederationOptions |
Properties
| AccessDeniedPath |
Gets or sets the optional path the user agent is redirected to if the user doesn't approve the authorization demand requested by the remote server. This property is not set by default. In this case, an exception is thrown if an access_denied response is returned by the remote authorization server. (Inherited from RemoteAuthenticationOptions) |
| AllowUnsolicitedLogins |
The Ws-Federation protocol allows the user to initiate logins without contacting the application for a Challenge first. However, that flow is susceptible to XSRF and other attacks so it is disabled here by default. |
| Backchannel |
Used to communicate with the remote identity provider. (Inherited from RemoteAuthenticationOptions) |
| BackchannelHttpHandler |
The HttpMessageHandler used to communicate with remote identity provider. This cannot be set at the same time as BackchannelCertificateValidator unless the value can be downcast to a WebRequestHandler. (Inherited from RemoteAuthenticationOptions) |
| BackchannelTimeout |
Gets or sets timeout value in milliseconds for back channel communications with the remote identity provider. (Inherited from RemoteAuthenticationOptions) |
| CallbackPath |
The request path within the application's base path where the user-agent will be returned. The middleware will process this request when it arrives. (Inherited from RemoteAuthenticationOptions) |
| ClaimsIssuer |
Gets or sets the issuer that should be used for any claims that are created (Inherited from AuthenticationSchemeOptions) |
| Configuration |
Configuration provided directly by the developer. If provided, then MetadataAddress and the Backchannel properties will not be used. This information should not be updated during request processing. |
| ConfigurationManager |
Responsible for retrieving, caching, and refreshing the configuration from metadata. If not provided, then one will be created using the MetadataAddress and Backchannel properties. |
| CorrelationCookie |
Determines the settings used to create the correlation cookie before the cookie gets added to the response. (Inherited from RemoteAuthenticationOptions) |
| DataProtectionProvider |
Gets or sets the type used to secure data. (Inherited from RemoteAuthenticationOptions) |
| Events |
Gets or sets the WsFederationEvents to call when processing WsFederation messages. |
| EventsType |
If set, will be used as the service type to get the Events instance instead of the property. (Inherited from AuthenticationSchemeOptions) |
| ForwardAuthenticate |
If set, this specifies the target scheme that this scheme should forward AuthenticateAsync calls to. For example Context.AuthenticateAsync("ThisScheme") => Context.AuthenticateAsync("ForwardAuthenticateValue"); Set the target to the current scheme to disable forwarding and allow normal processing. (Inherited from AuthenticationSchemeOptions) |
| ForwardChallenge |
If set, this specifies the target scheme that this scheme should forward ChallengeAsync calls to. For example Context.ChallengeAsync("ThisScheme") => Context.ChallengeAsync("ForwardChallengeValue"); Set the target to the current scheme to disable forwarding and allow normal processing. (Inherited from AuthenticationSchemeOptions) |
| ForwardDefault |
If set, this specifies a default scheme that authentication handlers should forward all authentication operations to by default. The default forwarding logic will check the most specific ForwardAuthenticate/Challenge/Forbid/SignIn/SignOut setting first, followed by checking the ForwardDefaultSelector, followed by ForwardDefault. The first non null result will be used as the target scheme to forward to. (Inherited from AuthenticationSchemeOptions) |
| ForwardDefaultSelector |
Used to select a default scheme for the current request that authentication handlers should forward all authentication operations to by default. The default forwarding logic will check the most specific ForwardAuthenticate/Challenge/Forbid/SignIn/SignOut setting first, followed by checking the ForwardDefaultSelector, followed by ForwardDefault. The first non null result will be used as the target scheme to forward to. (Inherited from AuthenticationSchemeOptions) |
| ForwardForbid |
If set, this specifies the target scheme that this scheme should forward ForbidAsync calls to. For example Context.ForbidAsync("ThisScheme") => Context.ForbidAsync("ForwardForbidValue"); Set the target to the current scheme to disable forwarding and allow normal processing. (Inherited from AuthenticationSchemeOptions) |
| ForwardSignIn |
If set, this specifies the target scheme that this scheme should forward SignInAsync calls to. For example Context.SignInAsync("ThisScheme") => Context.SignInAsync("ForwardSignInValue"); Set the target to the current scheme to disable forwarding and allow normal processing. (Inherited from AuthenticationSchemeOptions) |
| ForwardSignOut |
If set, this specifies the target scheme that this scheme should forward SignOutAsync calls to. For example Context.SignOutAsync("ThisScheme") => Context.SignOutAsync("ForwardSignOutValue"); Set the target to the current scheme to disable forwarding and allow normal processing. (Inherited from AuthenticationSchemeOptions) |
| MetadataAddress |
Gets or sets the address to retrieve the wsFederation metadata |
| RefreshOnIssuerKeyNotFound |
Gets or sets if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. This allows for automatic recovery in the event of a signature key rollover. This is enabled by default. |
| RemoteAuthenticationTimeout |
Gets or sets the time limit for completing the authentication flow (15 minutes by default). (Inherited from RemoteAuthenticationOptions) |
| RemoteSignOutPath |
Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme. |
| RequireHttpsMetadata |
Gets or sets if HTTPS is required for the metadata address or authority. The default is true. This should be disabled only in development environments. |
| ReturnUrlParameter |
Gets or sets the name of the parameter used to convey the original location of the user before the remote challenge was triggered up to the access denied page. This property is only used when the AccessDeniedPath is explicitly specified. (Inherited from RemoteAuthenticationOptions) |
| SaveTokens |
SaveTokens is not supported in WsFederation |
| SaveTokens |
Defines whether access and refresh tokens should be stored in the
AuthenticationProperties after a successful authorization.
This property is set to |
| SecurityTokenHandlers |
Obsolete.
Gets or sets the collection of ISecurityTokenValidator used to read and validate the SecurityTokens. |
| SignInScheme |
Gets or sets the authentication scheme corresponding to the middleware responsible of persisting user's identity after a successful authentication. This value typically corresponds to a cookie middleware registered in the Startup class. When omitted, DefaultSignInScheme is used as a fallback value. (Inherited from RemoteAuthenticationOptions) |
| SignOutScheme |
The Authentication Scheme to use with SignOutAsync from RemoteSignOutPath. SignInScheme will be used if this is not set. |
| SignOutWreply |
Gets or sets the 'wreply' value used during sign-out. If none is specified then the value from the Wreply field is used. |
| SkipUnrecognizedRequests |
Indicates if requests to the CallbackPath may also be for other components. If enabled the handler will pass requests through that do not contain WsFederation authentication responses. Disabling this and setting the CallbackPath to a dedicated endpoint may provide better error handling. This is disabled by default. |
| StateDataFormat |
Gets or sets the type used to secure data handled by the middleware. |
| TimeProvider |
Used for testing. (Inherited from AuthenticationSchemeOptions) |
| TokenHandlers |
Gets the collection of ISecurityTokenValidator used to read and validate the SecurityTokens. |
| TokenValidationParameters |
Gets or sets the TokenValidationParameters |
| UseSecurityTokenHandlers |
Gets or sets whether TokenHandlers or SecurityTokenHandlers will be used to validate the inbound token. |
| UseTokenLifetime |
Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. If the token does not provide lifetime information then normal session lifetimes will be used. This is enabled by default. |
| Wreply |
Gets or sets the 'wreply'. CallbackPath must be set to match or cleared so it can be generated dynamically. This field is optional. If not set then it will be generated from the current request and the CallbackPath. |
| Wtrealm |
Gets or sets the 'wtrealm'. |
Methods
| Validate() |
Check that the options are valid. Should throw an exception if things are not ok. |
| Validate(String) |
Checks that the options are valid for a specific scheme (Inherited from RemoteAuthenticationOptions) |
Applies to
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for