Saml2SecurityTokenHandler.CreateConditions(SecurityTokenDescriptor) Method

Definition

Namespace:

Microsoft.IdentityModel.Tokens.Saml2

Assembly:

Microsoft.IdentityModel.Tokens.Saml.dll

Package:

Microsoft.IdentityModel.Tokens.Saml v7.6.2

Creates the conditions for the assertion.

protected virtual Microsoft.IdentityModel.Tokens.Saml2.Saml2Conditions CreateConditions (Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor tokenDescriptor);

abstract member CreateConditions : Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor -> Microsoft.IdentityModel.Tokens.Saml2.Saml2Conditions
override this.CreateConditions : Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor -> Microsoft.IdentityModel.Tokens.Saml2.Saml2Conditions

Protected Overridable Function CreateConditions (tokenDescriptor As SecurityTokenDescriptor) As Saml2Conditions

Parameters

tokenDescriptor

SecurityTokenDescriptor

contains the details of the conditions.

Returns

Saml2Conditions

A Saml2Conditions object.

Exceptions

ArgumentNullException

If tokenDescriptor is null.

Remarks

Generally, conditions should be included in assertions to limit the impact of misuse of the assertion. Specifying the NotBefore and NotOnOrAfter conditions can limit the period of vulnerability in the case of a compromised assertion. The AudienceRestrictionCondition can be used to explicitly state the intended relying party or parties of the assertion, which coupled with appropriate audience restriction enforcement at relying parties can help to mitigate spoofing attacks between relying parties.

The default implementation creates NotBefore and NotOnOrAfter conditions based on the tokenDescriptor.Lifetime. It will also generate an AudienceRestrictionCondition limiting consumption of the assertion to tokenDescriptor.Scope.Address.