Service Configuration

Article
10/09/2012

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

The microsoft.identityModel section takes a single child element, the <service> element; multiple <service> elements may be specified in the section. Each <service> element specifies a service configuration section. Some of the settings specified in the <service> element can be overridden by settings on a security token handler collection or by settings on individual security token handlers. For more information, see Security Token Handler Collection Configuration or Security Token Handler Configuration. Elements that can be specified both on a service and on a security token handler collection are explained in Security Token Handler Collection Configuration.

service Element

Specifies a service configuration section. Multiple service configurations may be defined, each with a unique name. If no name is specified, the service section defines the default configuration. The default configuration is always used for passive federation scenarios. A service configuration section is represented by the ServiceConfiguration class.

Some of the elements that can appear in the service configuration are defined in different topics. These are noted in the list of child elements for the <service> element.

Syntax:

<microsoft.identityModel>
    <service name=String>
        <applicationService> ... <applicationService>
        <audienceUris> ... </audienceUris> 
        <certificateValidation> ... </certificateValidation> 
        <claimsAuthenticationManager> ... </claimsAuthenticationManager> 
        <claimsAuthorizationManager>  ... </claimsAuthorizationManager> 
        <federatedAuthentication> ... </federatedAuthentication>
        <issuerNameRegistry> ... </issuerNameRegistry> 
        <issuerTokenResolver > ... </issuerTokenResolver> 
        <maximumClockSkew> ... </maximumClockSkew>
        <securityTokenHandlers> ... </securityTokenHandlers> 
        <serviceCertificate> ... </serviceCertificate>
        <serviceTokenResolver> ... </serviceTokenResolver>
    </service>
</microsoft.identityModel>

Parent Element: <microsoft.identityModel>

Child Elements:

<applicationService>
<audienceUris>

This element can be defined for both a service configuration and a security token handler collection. For a detailed description of this element, see audienceUris Element in “Security Token Handler Collection Configuration”.
<certificateValidation>

This element can be defined for both a service configuration and a security token handler collection. For a detailed description of this element, see certificateValidation Element in “Security Token Handler Collection Configuration”.
<claimsAuthenticationManager>
<claimsAuthorizationManager>
<federatedAuthentication>

This element configures federated authentication for the service. For a detailed description of this element, see Federated Authentication Configuration.
<issuerNameRegistry>

This element can be defined for both a service configuration and a security token handler collection. For a detailed description of this element, see issuerNameRegistry Element in “Security Token Handler Collection Configuration”.
<issuerTokenResolver>

This element can be defined for both a service configuration and a security token handler collection. For a detailed description of this element, see issuerTokenResolver Element in “Security Token Handler Collection Configuration”.
<maximumClockSkew>

This element can be defined for both a service configuration and a security token handler collection. For a detailed description of this element, see maximumClockSkew Element in “Security Token Handler Collection Configuration”.
<securityTokenHandlers>

This element configures a named security token handler collection. One or more such collections can be configured for the service. For a detailed description of this element, see Security Token Handler Collection Configuration.
<serviceCertificate>
<serviceTokenResolver>

This element can be defined for both a service configuration and a security token handler collection. For a detailed description of this element, see serviceTokenResolver Element in “Security Token Handler Collection Configuration”.

Attributes:

Attribute Name	Description
name	The name of the service configuration. You can use this name to reference a specific configuration section. If no name attribute is specified, the section defines the default configuration, which is always used for passive federation scenarios.

Example:

<microsoft.identityModel>
    <service/>
    
    <service name="alternate"/>
</microsoft.identityModel>

applicationService Element

Specifies the claims that the application requires in any tokens that are issued to it by a security token service (STS). The presence of this element allows FedUtil to create the correct application federation metadata. It also provides an easy way to update the claim type requirements of the relying party application. If claim type requirements are updated, FedUtil should be run again to update the application metadata.

Add claim types to the <claimTypeRequired> collection by using the <claimType> element. The type attribute of this element specifies the URI of the claim type and the optional attribute specifies whether the claim is optional or required in tokens issued to the application by an STS.

Syntax:

<microsoft.IdentityModel>
    <service>
        <applicationService>
            <claimTypeRequired>
                <claimType type=String optional=Boolean />
            </claimTypeRequired>
        </applicationService>
    </service>
<microsoft.IdentityModel>

Parent Element: <service>

Child Elements:

<claimTypeRequired>
<claimTypeRequired>/<claimType>

Attributes: none

Example:

    <applicationService>
        <claimTypeRequired>
            <claimType type="https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
            <claimType type="https://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
        </claimTypeRequired>
    </applicationService>

claimsAuthenticationManager Element

Registers a claims authentication manager for the incoming claims. The default behavior provided through the ClaimsAuthenticationManager class echoes the incoming claims. You can also specify the type attribute to register a type derived from the ClaimsAuthenticationManager class to implement custom behavior. This element does not provide a mechanism to add any configuration for the claims authentication manager. This element sets the Microsoft.IdentityModel.Configuration.ServiceConfiguration.ClaimsAuthenticationManager property.

Syntax:

<microsoft.identityModel>
    <service name=String>
        <claimsAuthenticationManager type=String />
    </service>
</microsoft.identityModel>

Parent Element: <service>

Child Elements: none

Attributes:

Attribute Name	Description
type	A custom type that derives from the ClaimsAuthenticationManager class. For more information about how to specify the type attribute, see Custom Type References.

Example:

<microsoft.identityModel>
    <service name=String>
      <claimsAuthenticationManager type="MyNamespace.CustomClaimsAuthenticationManager, MyAssembly"/>        
    </service>
</microsoft.identityModel>

claimsAuthorizationManager Element

Registers a claims authorization manager for the incoming claims. The default behavior provided through the ClaimsAuthorizationManager class always authorizes the incoming claims. You can specify the type attribute to register a type derived from the ClaimsAuthorizationManager class to implement custom behavior. This element does not provide a mechanism to add any configuration for the claims authorization manager. This element sets the Microsoft.IdentityModel.Configuration.ServiceConfiguration.ClaimsAuthorizationManager property.

Syntax:

<microsoft.identityModel>
    <service name=String>
        <claimsAuthorizationManager type=String />
    </service>
</microsoft.identityModel>

Parent Element: <service>

Child Elements: none

Attributes:

Attribute Name	Description
type	A custom type that derives from the ClaimsAuthorizationManager class. For more information about how to specify the type attribute, see Custom Type References.

Example:

<microsoft.identityModel>
    <service>
      <claimsAuthorizationManager type="MyNamespace.CustomClaimsAuthorizationManager, MyAssembly"/>        
    </service>
</microsoft.identityModel>

serviceCertificate Element

Sets the certificate used for token decryption. In the case of an Information Card relying party, this should be the SSL certificate of the website. Any certificate that is identified must have a private key and the private key must have appropriate access control permissions so that it may be read by the application pool identity. This element sets the Microsoft.IdentityModel.Configuration.ServiceConfiguration.ServiceCertificate property.

Syntax:

<microsoft.identityModel>
    <service name=String>
        <serviceCertificate>
            <certificateReference 
                    x509FindType="FindByThumbprint||FindBySubjectName"
                    findValue= depends on the x509FindType attribute
                    storeLocation="CurrentUser||LocalMachine"
                    storeName="AddressBook||AuthRoot||CertificateAuthority||DisAllowed||My/Root||TrustedPeople||TrustedPublisher" />
      </serviceCertificate>
    </service>
</microsoft.identityModel>

Parent Element: <service>

Child Elements:

<certificateReference>

Attributes: none

Example:

<microsoft.identityModel>
    <service name=String>
        <serviceCertificate>
            <certificateReference x509FindType="FindByThumbprint"
                                  findValue="97249e1a5fa6bee5e515b82111ef524a4c91583f"
                                  storeLocation="LocalMachine"
                                  storeName="My" />
        </serviceCertificate>
    </service>
</microsoft.identityModel>

certificateReference Element

This element specifies a reference to the service certificate.

Syntax:

<microsoft.identityModel>
    <service name=String>
        <serviceCertificate>
            <certificateReference 
                    x509FindType="FindByThumbprint||FindBySubjectName"
                    findValue= depends on the x509FindType attribute
                    storeLocation="CurrentUser||LocalMachine"
                    storeName="AddressBook||AuthRoot||CertificateAuthority||DisAllowed||My/Root||TrustedPeople||TrustedPublisher" />
      </serviceCertificate>
    </service>
</microsoft.identityModel>

Parent Element: <serviceCertificate>

Child Elements: none

Attributes: For information about the attributes of this element, see Certificate References.

Example:

        <certificateReference x509FindType="FindByThumbprint"
                              findValue="97249e1a5fa6bee5e515b82111ef524a4c91583f"
                              storeLocation="LocalMachine"
                              storeName="My" />

Service Configuration

service Element

applicationService Element

claimsAuthenticationManager Element

claimsAuthorizationManager Element

serviceCertificate Element

certificateReference Element

See Also

Reference

Concepts

Additional resources