<issuedTokenAuthentication> of <serviceCredentials>

Specifies a custom token issued as a service credential.



<issuedTokenAuthentication allowUntrustedRsaIssuers="Boolean"
                           customCertificateValidatorType="namespace.typeName, [,AssemblyName] [,Version=version number] [,Culture=culture] [,PublicKeyToken=token]"
    <add allowedAudienceUri="String" />
    <add findValue="String"
         storeName=" CurrentUser/LocalMachine"
         x509FindType="FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindBySerialNumber/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier" />

Attributes and Elements

The following sections describe attributes, child elements, and parent elements


Attribute Description
allowedAudienceUris Gets the set of target URIs for which the SamlSecurityToken security token can be targeted for in order to be considered valid by a SamlSecurityTokenAuthenticator instance. For more information on using this attribute, see AllowedAudienceUris.
allowUntrustedRsaIssuers A Boolean value that specifies if untrusted RSA certificate issuers are allowed.

Certificates are signed by certification authorities (CAs) to verify authenticity. An untrusted issuer is a CA that is not specified to be trusted to sign certificates.
audienceUriMode Gets a value that specifies whether the SamlSecurityToken security token's SamlAudienceRestrictionCondition should be validated. This value is of type AudienceUriMode. For more information on using this attribute, see AudienceUriMode.
certificateValidationMode Sets the certificate validation mode. One of the valid values of X509CertificateValidationMode. If set to Custom, then a customCertificateValidator must also be supplied. The default is ChainTrust.
customCertificateValidatorType Optional string. A type and assembly used to validate a custom type. This attribute must be set when certificateValidationMode is set to Custom.
revocationMode Sets the revocation mode that specifies whether a revocation check occurs, and if it is performed online or offline. This attribute is of type X509RevocationMode.
samlSerializer An optional string attribute that specifies the type of SamlSerializer that is used for the service credential. The default is an empty string.
trustedStoreLocation Optional enumeration. One of the two system store locations: LocalMachine or CurrentUser.

Child Elements

Element Description
knownCertificates Specifies a collection of X509CertificateTrustedIssuerElement elements that specifies trusted issuers for the service credential.

Parent Elements

Element Description
<serviceCredentials> Specifies the credential to be used in authenticating the service, and the client credential validation-related settings.


The issued token scenario has three stages. In the first stage, a client trying to access a service is referred to a secure token service. The secure token service then authenticates the client and subsequently issues the client a token, typically a Security Assertions Markup Language (SAML) token. The client then returns to the service with the token. The service examines the token for data that allows the service to authenticate the token and therefore the client. To authenticate the token, the certificate the secure token service uses must be known to the service.

This element is the repository for any such secure token service certificates. To add certificates, use the <knownCertificates>. Insert an <add> for each certificate, as shown in the following example.

    <add findValue="www.contoso.com"
         X509FindType="FindBySubjectName" />

By default, the certificates must be obtained from a secure token service. These "known" certificates ensure that only legitimate clients can access a service.

For more information on using this configuration element, see How to: Configure Credentials on a Federation Service.

See also