<scopedCertificates> Element
Represents a collection of X.509 certificates provided by specific services (scoped) for authentication. This collection is typically used to specify the service certificates for Security Token Services in a federated scenario.
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior>
<clientCredentials>
<serviceCertificate>
<scopedCertificates>
Syntax
<scopedCertificates>
<add findValue="String"
storeLocation="CurrentUser/LocalMachine"
storeName=" CurrentUser/LocalMachine"
targetUri="string"
x509Type="FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindBySerialNumber/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier" />
</scopedCertificates>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
None.
Child Elements
Element | Description |
---|---|
<add> | Adds an X.509 certificate to the collection of scoped certificates. |
Parent Elements
Element | Description |
---|---|
<serviceCertificate> | Specifies a certificate to use when authenticating a service to the client. |
Remarks
This collection enables the client to configure the service certificates to use based on the URL of the service it communicates with. This is especially useful in issued token scenarios where a client can be communicating to multiple services (the end service as well as intermediary security token services). For bindings that use certificate-based message security, this certificate is used to encrypt messages to the service, and is expected to be used by the service for signing replies to the client.
If a binding requires a certificate for the service and no specific certificate for the service URL is found in the ScopedCertificates, the default certificate is used.
For more information, see the "Scoped Certificates" section of How to: Create a Federated Client.
Example
The following example specifies a service certificate for the client to use when communicating with endpoints whose domain name is http://www.contoso.com
over the HTTP protocol.
<serviceCertificate>
<scopedCertificates>
<add targetUri="http://www.contoso.com"
findValue="www.contoso.com"
storeLocation="LocalMachine"
storeName="Root"
x509FindType="FindByIssuerName" />
</scopedCertificates>
</serviceCertificate>