{"id":360,"date":"2010-05-11T17:27:00","date_gmt":"2010-05-12T02:27:00","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/2010\/05\/11\/a-hidden-gem-the-wif-config-schema\/"},"modified":"2010-05-11T17:27:00","modified_gmt":"2010-05-12T02:27:00","slug":"a-hidden-gem-the-wif-config-schema","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2010\/05\/11\/a-hidden-gem-the-wif-config-schema\/","title":{"rendered":"A Hidden Gem: The WIF Config Schema"},"content":{"rendered":"
digg_url = “http:\/\/blogs.msdn.com\/vbertocci\/archive\/2010\/05\/11\/a-hidden-gem-the-wif-config-schema.aspx”;digg_title = “A Hidden Gem: The WIF Config Schema”;digg_bgcolor = “#FFFFFF”;digg_skin = “normal”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;<\/div>\n

During the WIF workshops I get various recurring questions: some have open-ended answers which would satisfy my logorrhea but that require A LOT of time to write, others are just a matter a minutes. Today\u2019s post  belongs to the latter category. <\/p>\n

Some of you would like more detailed documentation about the WIF configuration element: I have discovered that not everybody is aware that the full schema is available in the C:Program Files (x86)Windows Identity Foundation SDKvX.X folder! On top of that, there is also a sample XML file which gives a succinct but super-useful explanation of every element\u2019s usage. I am including here a screenshot of the schema (click for full size!) and I am pasting the sample file, so that you can hit it via search engine if you need to.<\/p>\n

 <\/p>\n

\"ConfigPoster\"<\/a> <\/p>\n

<?<\/span>xml <\/span>version<\/span>=<\/span>"1.0<\/span>" encoding<\/span>=<\/span>"utf-8<\/span>"?>\r\n<!--\r\n     <\/span>MICROSOFT WINDOWS IDENTITY FOUNDATION ASP.NET RELYING PARTY CONFIGURATION\r\n\r\n     In order to use the Windows Identity Foundation Framework to create an ASP.NET \r\n     website that acts as a Information Card or WS-Federation relying party, \r\n     you must make a number of changes to your web.config file.\r\n\r\n     (1) Reference the Microsoft.IdentityModel assembly\r\n\r\n     You must reference the Microsoft.IdentityModel assembly from the \r\n     system.web\/compilation section of your web.config. This section would\r\n     look like this:\r\n\r\n     <configuration>\r\n       ...\r\n       <system.web>\r\n         ...\r\n         <compilation>\r\n           <assemblies>\r\n             <add assembly="Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" \/>\r\n           <\/assemblies>\r\n         <\/compilation>\r\n         ...\r\n       <\/system.web>\r\n       ...\r\n     <\/configuration>\r\n\r\n     (2) Register the HTTP module\r\n\r\n     Support for relying party has been built using the following ASP.NET modules.\r\n        (a) SessionAuthenticationModule\r\n        (b) WSFederationAuthenticationModule\r\n        (c) ClaimsPrincipalHttpModule\r\n     Depending on your scenario you will include one or more of these modules.\r\n     \r\n     The below examples show how you must add the WSFederationAuthenticationModule in \r\n     one of two places depending on your hosting environment.\r\n\r\n       (a) For "classic" ASP.NET (includes IIS6 or IIS7 with a "classic" application pool)\r\n\r\n       You must reference WSFederationAuthenticationModule from the system.web\/httpModules\r\n       section of your web.config. This section would look like this:\r\n\r\n       <configuration>\r\n         ...\r\n         <system.web>\r\n           ...\r\n           <httpModules>\r\n             <add name="WSFederatedAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederatedAuthenticationModule, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"\/>\r\n           <\/httpModules>\r\n           ...\r\n         <\/system.web>\r\n         ...\r\n       <\/configuration>\r\n       \r\n       (b) For IIS7 "integrated" mode\r\n\r\n       You must reference WSFederationAuthenticationModule from the system.webServer\/modules\r\n       section of your web.config or applicationHost.config. This section would look like\r\n       this:\r\n\r\n       <configuration>\r\n         ...\r\n         <system.webServer>\r\n           ...\r\n           <modules>\r\n             <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"\/>\r\n           <\/modules>\r\n           ...\r\n         <\/system.webServer>\r\n         ...\r\n       <\/configuration>\r\n\r\n     (3) Register the configuration section\r\n\r\n     In order to use the rest of the configuration described by this file in your\r\n     web.config, you must reference MicrosoftIdentityModelSection from the configSections\r\n     section of your web.config. This section would look like this:\r\n\r\n     <configuration>\r\n       ...\r\n       <configSections>\r\n         <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Web.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"\/>\r\n       <\/configSections>\r\n       ...\r\n     <\/configuration>\r\n\r\n  <\/span>-->\r\n\r\n<<\/span>configuration<\/span>>\r\n  <<\/span>configSections<\/span>>\r\n    <!--<\/span><section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" \/><\/span>-->\r\n    <<\/span>section <\/span>name<\/span>=<\/span>"microsoft.identityModel<\/span>" type<\/span>=<\/span>"Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel<\/span>" \/>\r\n  <\/<\/span>configSections<\/span>>\r\n\r\n\r\n  <!--\r\n     <\/span>The XML below illustrates the available configuration elements for the \r\n     WSFederationAuthenticationModule. This section contains some general comments\r\n     about conventions used throughout.\r\n\r\n     MODES\r\n\r\n     Many of the elements have a 'mode' attribute. This attribute generally \r\n     controls which class is used to do a particular part of the processing,\r\n     and which configuration elements are allowed as children of the current \r\n     element. A configuration error will be raised if elements are included\r\n     in the configuration file which are ignored because of the mode.\r\n\r\n     TIMESPAN VALUES\r\n\r\n     Where TimeSpan is used as the type of an attribute, see the MSDN documentation\r\n     for TimeSpan.Parse to see the allowed format, which fits this specification:\r\n       [ws][-]{ d | [d.]hh:mm[:ss[.ff]] }[ws]\r\n\r\n     For example, "30", "30.00:00", "30.00:00:00" all mean 30 days; and "00:05", \r\n     "00:05:00", "0.00:05:00.00" all mean five minutes.\r\n\r\n     CERTIFICATE REFERENCES\r\n\r\n     Several elements reference certificates. When referencing a certificate, these\r\n     attributes are available:\r\n\r\n       storeLocation\r\n         A value of the System.Security.Cryptography.X509Certificates.StoreLocation \r\n         enumeration: CurrentUser, CurrentMachine\r\n\r\n       storeName\r\n         A value of the System.Security.Cryptography.X509Certificates.StoreName \r\n         enumeration; the most useful for this context are: My, TrustedPeople\r\n\r\n       x509FindType\r\n         A value of the System.Security.Cryptography.X509Certificates.X509FindType\r\n         enumeration; the most useful for this context are: FindBySubjectName, \r\n         FindByThumbprint\r\n\r\n       findValue\r\n         The value used to find the certificate, based on the x509FindType. To \r\n         eliminate the chance of error, it is recommended that the FindByThumbprint\r\n         type be used in production, in which case this attribute has a value which\r\n         is the hex-string form of the certificate thumbprint; for example, \r\n         "97249e1a5fa6bee5e515b82111ef524a4c91583f".\r\n\r\n     CUSTOM TYPE REFERENCES\r\n\r\n     Several elements reference custom types, using the 'type' attribute. This \r\n     attribute should specify the name of the custom type. To reference a type\r\n     from the GAC, a strong name should be used. To reference a type from an \r\n     assembly in the bin\/ directory, a simple assembly-qualified reference may\r\n     be used. Types defined in App_Code\/ may also be referenced by simply \r\n     specifying the type name with no qualifying assembly. Custom types must \r\n     be derived from the type specified, and they must provide a public default \r\n     (0 argument) constructor.\r\n\r\n  <\/span>-->\r\n  <<\/span>microsoft.identityModel<\/span>>\r\n    <!--\r\n        <\/span>Multiple services may be defined, each with a unique name and defining \r\n        a specific configuration. \r\n        \r\n         Example\r\n        <service name="alternate" >\r\n\r\n        If no name is specified, the service defines the\r\n        default configuration, which is always used for passive federation scenarios.\r\n    <\/span>-->\r\n    <<\/span>service<\/span>>\r\n\r\n    <!-- \r\n         <\/span><securityTokenHandlers> contains the set of SecurityTokenHandlers that \r\n         are registered with the endpoint. The securityTokenHandlers collection \r\n         by default is populated with Saml11SecurityTokenHandler, Saml2SecurityTokenHandler, \r\n         KerberosSecurityTokenHandler, WindowsUserNameSecurityTokenHandler, RsaSecurityTokenHandler, \r\n         X509SecurityTokenHandler and EncryptedSecurityTokenHandler. \r\n                 \r\n         Each of the TokenHandler setting can have custom configuration as\r\n         a child element to the TokenHandler element entry. Saml11SecurityTokenHandler,  \r\n         Saml2SecurityTokenHandler, X509SecurityTokenHandler and MembershipUserNameSecurityTokenHandler\r\n         have a pre-defined custom configuration section.\r\n         \r\n         SecurityTokenHandler collections can also be named, to be used in certain circumstances. The only names\r\n         that the framework handles are "ActAs" and "OnBehalfOf". If handlers exist in these collections, they\r\n         will be used lieu of the default handlers for processing ActAs and OnBehalfOf tokens.\r\n         \r\n         Example\r\n         <securityTokenHandlers name="ActAs">\r\n         \r\n     <\/span>-->\r\n      <<\/span>securityTokenHandlers<\/span>>\r\n        \r\n        <!--\r\n            <\/span>Configuration specific to this collection of security token handlers.\r\n        <\/span>-->\r\n        \r\n        <<\/span>securityTokenHandlerConfiguration<\/span>>\r\n\r\n          <!--\r\n              <\/span><audienceUris> specifies the set of URIs which are acceptable\r\n              as identifying this relying party. Tokens will not be accepted unless\r\n              they are scoped for one of the allowed audience URIs.\r\n\r\n              By default, no URIs will be added to the collection.\r\n\r\n              The SecurityTokenHandler for the SAML 1.1 and SAML 2.0 token types\r\n              use the values in this collection to configure any allowed audience\r\n              uri restrictions in SamlSecurityTokenRequirement objects.\r\n          <\/span>-->\r\n          \r\n          <<\/span>audienceUris<\/span>>\r\n            <!-- \r\n                <\/span><clear\/> may be used to remove any URIs that may be in\r\n                this configuration collection.\r\n            <\/span>-->\r\n            <<\/span>clear<\/span>\/>\r\n            <!--\r\n                <\/span>Each <add> references an allowed audience URI.\r\n            <\/span>-->\r\n            <<\/span>add <\/span>value<\/span>=<\/span>"http:\/\/www.example.com\/myapp\/<\/span>" \/>\r\n            <!--\r\n                <\/span>Each <remove> removes an audience URI.\r\n            <\/span>-->\r\n            <<\/span>remove <\/span>value<\/span>=<\/span>"http:\/\/www.example.com\/myapp\/<\/span>" \/>\r\n          <\/<\/span>audienceUris<\/span>>\r\n\r\n          <!-- \r\n              <\/span>issuerNameRegistry - All issuer tokens are validated using the IssuerNameRegistry.\r\n              The purpose of the IssuerNameRegistry is to map the issuer token to a string name.\r\n              Any custom type can be registered using the 'type' attribute of the <issuerNameRegistry>\r\n              element. The <issuerNameRegistry> can have one child element that will serve as\r\n              custom configuration to the IssuerNameRegistry. \r\n              \r\n              One IssuerNameRegistry type is provided out of the box.\r\n                (a) ConfigurationBasedIssuerNameRegistry - Can be used to configure a set\r\n                    trusted issuer certificates in configuration. This type requires a child\r\n                    configuration element <trustedIssuers> where trusted issuer certificates \r\n                    configured. <trustedIssuers> configuration adds trusted certs using the\r\n                    ASN.1 encoded form of the certificate thumbprint. \r\n          <\/span>-->\r\n          <<\/span>issuerNameRegistry <\/span>type<\/span>=<\/span>"Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel<\/span>">\r\n            <<\/span>trustedIssuers<\/span>>\r\n              <<\/span>add <\/span>thumbprint<\/span>=<\/span>"97249e1a5fa6bee5e515b82111ef524a4c9158de<\/span>" name<\/span>=<\/span>"contoso.com<\/span>" \/>\r\n              <<\/span>remove <\/span>thumbprint<\/span>=<\/span>"97249e1a5fa6bee5e515b82111ef524a4c9158de<\/span>" \/>\r\n              <<\/span>clear<\/span>\/>\r\n            <\/<\/span>trustedIssuers<\/span>>\r\n          <\/<\/span>issuerNameRegistry<\/span>>\r\n\r\n\r\n          <!-- \r\n              <\/span><issuerTokenResolver> registers an issuer token resolver.\r\n              This can be used to resolve Issuer KeyIdentifierClauser while\r\n              deserializing a SAML token.\r\n          <\/span>-->\r\n          \r\n          <<\/span>issuerTokenResolver <\/span>type<\/span>=<\/span>"MyNamespace.CustomTokenResolver, MyAssembly<\/span>" \/>\r\n\r\n          <!-- \r\n              <\/span><serviceTokenResolver> registers a service token resolver.\r\n              This can be used to resolve Issuer KeyIdentifierClauser while\r\n              deserializing a SAML token.\r\n          <\/span>-->\r\n          \r\n          <<\/span>serviceTokenResolver <\/span>type<\/span>=<\/span>"MyNamespace.CustomTokenResolver, MyAssembly<\/span>" \/>\r\n\r\n\r\n        <\/<\/span>securityTokenHandlerConfiguration<\/span>>\r\n        <!-- \r\n            <\/span><clear \/> may be used to clear all the token handlers in the current\r\n            collection. \r\n        <\/span>-->\r\n        <<\/span>clear <\/span>\/>\r\n        <!-- \r\n            <\/span><remove> can be used to remove a specific TokenHandler from the \r\n             current collection.\r\n             \r\n             ATTRIBUTES\r\n             \r\n             type - The CLR type name of the token handler to be removed.\r\n        <\/span>-->\r\n        <<\/span>remove <\/span>type<\/span>=<\/span>"Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel<\/span>" \/>\r\n        <!--\r\n             <\/span><add> can be used to add a specific TokenHandler from the \r\n             current collection. The element can be followed by an custom\r\n             element section. The <add> element can take only one child element\r\n             which describes the custom configuration. When custom configuration\r\n             is used the Token Handler type should expose a constructor that takes\r\n             in an XmlElement.\r\n             \r\n             public class CustomTokenHandler : SecurityTokenHandler\r\n             {\r\n                 public CustomTokenHandler( XmlElement customConfig )\r\n                 {\r\n                 }\r\n             }\r\n             \r\n             ATTRIBUTES\r\n             \r\n             type - The CLR type name of the token handler to be added.\r\n        <\/span>-->\r\n        <<\/span>add <\/span>type<\/span>=<\/span>"MyNamespace.CustomTokenHandler, MyAssembly<\/span>">\r\n          <<\/span>customConfig <\/span>myAttr<\/span>=<\/span>"val<\/span>">\r\n            <<\/span>customSubConfig<\/span>>\r\n            <\/<\/span>customSubConfig<\/span>>\r\n          <\/<\/span>customConfig<\/span>>\r\n        <\/<\/span>add<\/span>>\r\n        <!-- <\/span>Saml11SecurityTokenHandler and Saml2SecurityTokenHandler have specific custom \r\n           configuration. This is optional and can be used to change the \r\n           default settings for any of these.\r\n           \r\n           <samlSecurityTokenRequirement> element can appear as child element\r\n           for a Saml11SecurityTokenHandler or Saml2SecurityTokenHandler or a derived class\r\n           of any of these. \r\n           \r\n           ATTRIBUTES\r\n           \r\n           issuerCertificateValidationMode -  X509CertificateValidationMode value that specifies \r\n           the validation mode to use for the X.509 certificate. The default value is PeerOrChainTrust. \r\n       \r\n           issuerCertificateRevocationMode -  X509CertificateRevocationMode type that specifies the revocation mode \r\n           to use for the X.509 certificate. The default value is Online.\r\n\r\n           issuerCertificateTrustedStoreLocation - X509TrustedStoreLocation type that specifies the X.509 certificate \r\n           store. The default value is LocalMachine. \r\n           \r\n           issuerCertificateValidator - A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator.\r\n           If the certificateValidationMode attribute is "Custom", an instance of this type will be used for issuer certificate validation.\r\n\r\n           mapToWindows - Boolean - Default is false. Specifies whether the\r\n           token handler should map the validating token to a Windows account\r\n           by using the incoming UPN claim.\r\n\r\n           useWindowsTokenService - Boolean - Default is false. Specifies whether\r\n           the token handler should utilize the Windows Token Service to perform\r\n           the log on operation for the mapToWindows feature.           \r\n           <\/span>-->\r\n        \r\n        <<\/span>add <\/span>type<\/span>=<\/span>"Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel<\/span>">\r\n          <<\/span>samlSecurityTokenRequirement <\/span>issuerCertificateValidationMode<\/span>=<\/span>"PeerOrChainTrust<\/span>"\r\n                                        issuerCertificateRevocationMode<\/span>=<\/span>"Online<\/span>"\r\n                                        issuerCertificateTrustedStoreLocation<\/span>=<\/span>"LocalMachine<\/span>"\r\n                                        mapToWindows<\/span>=<\/span>"false<\/span>"\r\n                                        useWindowsTokenService<\/span>=<\/span>"false<\/span>">\r\n\r\n            <!-- <\/span><nameClaimType> specifies the claim type that specifies the \r\n               IIdentity.Name. The value is used to search for a Claim in \r\n               the SubjectCollection returned by SecurityTokenHandler.ValidateToken\r\n               and the value of the Claim is set as the name of the IIdentity \r\n               generated from this token handler. \r\n               \r\n               ATTRIBUTES\r\n               \r\n               value - URI that specifies the name claim type.\r\n               <\/span>-->\r\n            <<\/span>nameClaimType <\/span>value<\/span>=<\/span>"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name<\/span>" \/>\r\n\r\n            <!-- <\/span><roleClaimType> specifies the set of claim type that defines the\r\n               role type claims in the SubjectCollection created SecurityTokenHandler.\r\n               ValidateToken. \r\n               <\/span>-->\r\n            <<\/span>roleClaimType <\/span>value<\/span>=<\/span>"schemas.microsoft.com\/ws\/2006\/04\/identity\/claims\/role<\/span>" \/>\r\n          <\/<\/span>samlSecurityTokenRequirement<\/span>>\r\n        <\/<\/span>add<\/span>>\r\n        \r\n        <!-- <\/span>MembershipUserNameSecurityTokenHandler has specific custom \r\n           configuration. \r\n           \r\n           <usernameSecurityTokenHandlerRequirement> element can appear as child element\r\n           for a MembershipUserNameSecurityTokenHandler.\r\n           \r\n           membershipProvider- Specifies the MembershipProvider that should be used\r\n           by this SecurityTokenHandler and must appear as a child element of\r\n           <usernameSecurityTokenHandlerRequirement>\r\n        <\/span>-->\r\n        \r\n        <<\/span>add <\/span>type<\/span>=<\/span>"Microsoft.IdentityModel.Tokens.MembershipUserNameSecurityTokenHandler, Microsoft.IdentityModel<\/span>">\r\n          <<\/span>userNameSecurityTokenHandlerRequirement <\/span>membershipProviderName<\/span>=<\/span>"AspNetSqlProvider<\/span>" \/>\r\n        <\/<\/span>add<\/span>>\r\n\r\n        <!-- <\/span>X509SecurityTokenHandler has specific custom configuration.\r\n           \r\n           <x509SecurityTokenHandlerRequirement> element can appear as child element\r\n           for a MembershipUserNameSecurityTokenHandler.\r\n           \r\n           ATTRIBUTES\r\n           \r\n           mapToWindows- boolean value that specifies if the X.509 Certificate being\r\n           validated should be mapped to a windows account. Default value is false.\r\n\r\n           certificateValidationMode -  X509CertificateValidationMode value that specifies \r\n           the validation mode to use for the X.509 certificate. The default value is PeerOrChainTrust. \r\n       \r\n           revocationMode -  X509CertificateRevocationMode type that specifies the revocation mode \r\n           to use for the X.509 certificate. The default value is Online.\r\n\r\n           trustedStoreLocation - X509TrustedStoreLocation type that specifies the X.509 certificate \r\n           store. The default value is LocalMachine. \r\n           \r\n           certificateValidator - A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator.\r\n           If the certificateValidationMode attribute is "Custom", an instance of this type will be used by this handler for certificate validation.\r\n            \r\n        <\/span>-->\r\n        <<\/span>add <\/span>type<\/span>=<\/span>"Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler, Microsoft.IdentityModel<\/span>">\r\n          <<\/span>x509SecurityTokenHandlerRequirement <\/span>mapToWindows<\/span>=<\/span>"true<\/span>" \r\n                                               certificateValidationMode<\/span>=<\/span>"PeerOrChainTrust<\/span>" \r\n                                               revocationMode<\/span>=<\/span>"Online<\/span>" \r\n                                               trustedStoreLocation<\/span>=<\/span>"LocalMachine<\/span>"\r\n                                               useWindowsTokenService<\/span>=<\/span>"true<\/span>"\/>\r\n        <\/<\/span>add<\/span>>\r\n\r\n          <!--\r\n              <\/span><sessionTokenRequirement> element can appear as a child element for a\r\n              SessionSecurityTokenHandler.\r\n              \r\n              ATTRIBUTES\r\n              \r\n              lifetime - lifetime of session tokens\r\n              \r\n              saveBootstrapTokens - boolean value that specifies if bootstrap tokens should be included\r\n              int the session token\r\n              \r\n              securityTokenCacheSize - Integer - maximum number of entries in the security token cache\r\n              \r\n              securityTokenCacheType - String - references a custom type which must be derived from SecurityTokenCache\r\n              \r\n              useWindowsTokenService - boolean value that specifies whether WindowsLogon tokens should be mapped to windows\r\n              accounts\r\n          <\/span>-->\r\n        \r\n        <<\/span>add <\/span>type<\/span>=<\/span>"Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel<\/span>">         \r\n          <<\/span>sessionTokenRequirement <\/span>securityTokenCacheType<\/span>=<\/span>"Microsoft.IdentityModel.MruSecurityTokenCache, Microsoft.IdentityModel<\/span>"\r\n                                    saveBootstrapTokens<\/span>=<\/span>"true<\/span>"\r\n                                    securityTokenCacheSize<\/span>=<\/span>"500<\/span>"\r\n                                    useWindowsTokenService<\/span>=<\/span>"false<\/span>"\r\n                                    lifetime<\/span>=<\/span>"10:00<\/span>" \/>\r\n        <\/<\/span>add<\/span>>\r\n\r\n      <\/<\/span>securityTokenHandlers<\/span>>\r\n\r\n      <!--\r\n            <\/span><certificateValidation> controls the settings that token handlers will use to validate certificates, \r\n            unless those handlers have their own validators set.\r\n            \r\n           ATTRIBUTES\r\n\r\n           certificateValidationMode -  X509CertificateValidationMode value that specifies \r\n           the validation mode to use for the X.509 certificate. The default value is PeerOrChainTrust. \r\n       \r\n           revocationMode -  X509CertificateRevocationMode type that specifies the revocation mode \r\n           to use for the X.509 certificate. The default value is Online.\r\n\r\n           trustedStoreLocation - X509TrustedStoreLocation type that specifies the X.509 certificate \r\n           store. The default value is LocalMachine. \r\n           \r\n           certificateValidator - A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator.\r\n           If the certificateValidationMode attribute is "Custom", an instance of this type will be used by underlying handlers for certificate validation.\r\n            \r\n      <\/span>-->\r\n\r\n      <<\/span>certificateValidation <\/span>certificateValidationMode<\/span>=<\/span>"PeerOrChainTrust<\/span>"\r\n                             revocationMode<\/span>=<\/span>"Online<\/span>"\r\n                             trustedStoreLocation<\/span>=<\/span>"LocalMachine<\/span>" >\r\n        \r\n        <!--\r\n           <\/span><certificateValidator> allows for a custom type to be specified for certificate validation.\r\n           This type will only be used if the certificateValidationMode is set to "Custom"\r\n           \r\n           Type - A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator.\r\n           This validator will be used by the default SecurityTokenHandler instances, unless those have their own validators set.\r\n\r\n      <\/span>-->\r\n        \r\n        <<\/span>certificateValidator <\/span>type<\/span>=<\/span>"CustomType<\/span>" \/>\r\n        \r\n      <\/<\/span>certificateValidation<\/span>>\r\n      \r\n      <!-- <\/span><maximumClockSkew> Controls the maximum allowed clock skew when \r\n         performing time-sensitive operations such as validating the expiration\r\n         time of a sign-in session. Defaults to 5 minutes.\r\n         <\/span>-->\r\n      <<\/span>maximumClockSkew <\/span>value<\/span>=<\/span>"00:05:00<\/span>" \/>\r\n\r\n      <!-- \r\n           <\/span><serviceCertificate> controls the certificate used for token \r\n           decryption. In the case of an Information Card relying party, this\r\n           should be the SSL certificate of the web site.\r\n\r\n           Any certificate that is identified must have a private key and the \r\n           private key must have appropriate access control permissions so that\r\n           it may be read by the application pool identity.\r\n        <\/span>-->\r\n      <<\/span>serviceCertificate<\/span>>\r\n        <!-- \r\n             <\/span><certificateReference>, See the comments \r\n             before the <configuration> element on certificate references.\r\n          <\/span>-->\r\n        <<\/span>certificateReference <\/span>x509FindType<\/span>=<\/span>"FindByThumbprint<\/span>"\r\n                              findValue<\/span>=<\/span>"97249e1a5fa6bee5e515b82111ef524a4c91583f<\/span>"\r\n                              storeLocation<\/span>=<\/span>"LocalMachine<\/span>"\r\n                              storeName<\/span>=<\/span>"My<\/span>" \/>\r\n      <\/<\/span>serviceCertificate<\/span>>\r\n\r\n      <!--\r\n         <\/span><federatedAuthentication> contains all the settings used by the \r\n         ASP.NET modules. \r\n\r\n         ATTRIBUTES\r\n\r\n         enabled - Boolean - default false\r\n           Controls whether the module added to the ASP.NET pipeline is \r\n           enabled so that it actively processes each request. The specfic \r\n           task each module might do depends on the module that is added\r\n           in the pipeline.\r\n     <\/span>-->\r\n\r\n      <<\/span>federatedAuthentication<\/span>>\r\n\r\n        <!--\r\n           <\/span><wsFederattion> defines parameter settings for WS-FEDERATION protocol STS.\r\n           This affects the settings for the WSFederationAuthenticationModule.\r\n           \r\n           ATTRIBUTES\r\n           \r\n           Parameters for WS-Federation\r\n             authenticationType - String - default ""\r\n               The request wauth type\r\n             \r\n             freshness - Float - default ""\r\n               The value of the required freshness.\r\n               \r\n             homeRealm - String - default ""\r\n               The home realm of the IdentityProvider\r\n               \r\n             issuer - String - default ""\r\n               The URI of the token issuer.\r\n               \r\n             policy - String - default ""\r\n               The URI of the relevant policy.\r\n               \r\n             realm - String - default ""\r\n               The URI of requesting realm.\r\n               \r\n             reply - String - default ""\r\n               The URI of address to reply to.\r\n               \r\n             request - String - default ""\r\n               The URI of WS-FEDERATION request.\r\n               \r\n             requestPtr - String - default ""\r\n               The URI of WS-FEDERATION request pointer.\r\n               \r\n             resource - String - default ""\r\n               The URI of WS-FEDERATION resource value.\r\n           \r\n           requireHttps - Boolean - default true\r\n           Controls whether the module will only redirect a secure URL for the STS.\r\n           \r\n           passiveRedirectEnabled - Boolean - default false\r\n           Controls whether the module is enabled to automatically redirect\r\n           unauthorized requests to an STS.\r\n\r\n           persistentCookiesOnPassiveRedirects - Boolean - default false           \r\n           Specifies whether persistent cookies are issued when the module is enabled to initiate WS-Federation passive protocol redirects.\r\n\r\n           signInQueryString - String - default ""\r\n           Application defined parameters for the sign in request URL\r\n           \r\n           signOutQueryString - String - default ""\r\n           Application defined parameters for the sign out request URL\r\n           \r\n           signOutReply - String - default ""\r\n           URL to return to following sign out.\r\n           \r\n           \r\n        <\/span>-->\r\n      <<\/span>wsFederation <\/span>authenticationType<\/span>=<\/span>"wauth<\/span>"\r\n                     freshness<\/span>=<\/span>"45<\/span>"\r\n                     homeRealm<\/span>=<\/span>"http:\/\/homeRealm<\/span>"\r\n                     issuer<\/span>=<\/span>"i<\/span>"\r\n                     policy<\/span>=<\/span>"http:\/\/policy<\/span>"\r\n                     realm<\/span>=<\/span>"http:\/\/realm<\/span>"\r\n                     reply<\/span>=<\/span>"http:\/\/reply<\/span>"\r\n                     request<\/span>=<\/span>"http:\/\/request<\/span>"\r\n                     requestPtr<\/span>=<\/span>"http:\/\/requestPtr<\/span>"\r\n                     resource <\/span>=<\/span>"http:\/\/resource<\/span>"\r\n                     requireHttps<\/span>=<\/span>"true<\/span>"\r\n                     passiveRedirectEnabled<\/span>=<\/span>"true<\/span>"\r\n                     persistentCookiesOnPassiveRedirects<\/span>=<\/span>"true<\/span>"\r\n                     signInQueryString<\/span>=<\/span>"abc=xyz<\/span>"\r\n                     signOutQueryString<\/span>=<\/span>"def=uvw<\/span>"\r\n                     signOutReply<\/span>=<\/span>"http:\/\/signoutreply<\/span>" \/>\r\n\r\n        <!--\r\n           <\/span><cookieHandler> controls the CookieHandler, which is responsible for \r\n           reading and writing raw cookies at the HTTP protocol level. \r\n           SessionAuthenticationModule uses the cookieHandler to read and write\r\n           cookies.\r\n\r\n           MODES\r\n\r\n           Default (default)\r\n             The same as Chunked.\r\n\r\n           Chunked\r\n             Uses an instance of the ChunkedCookieHandler class. This cookie \r\n             handler ensures that individual cookies do not exceed a set maximum\r\n             size. It accomplishes that by potentially "chunking" one logical \r\n             cookie into a number of on-the-wire cookies.\r\n\r\n           Custom\r\n             Uses an instance of a custom CookieHandler-derived class, referenced\r\n             by the <customCookieHandler> element.\r\n             \r\n           ATTRIBUTES\r\n         \r\n           domain - String - default ""\r\n             The domain value for any cookies written.\r\n\r\n           hideFromScript - Boolean - default true\r\n             Controls whether the "HttpOnly" flag is emitted for any cookies \r\n             written. Certain web browsers honor this flag by keeping client-side\r\n             script from accessing the cookie value.\r\n\r\n           name - String - default "FedAuth"\r\n             Controls the base name for any cookies written.\r\n\r\n           path - String - default is HttpRuntime.AppDomainAppVirtualPath\r\n             Controls the path value for any cookies written. \r\n\r\n           requireSsl - Boolean - default false\r\n             Controls whether the "Secure" flag is emitted for any cookies \r\n             written. If this value is set, the sign-in session cookies \r\n             will only be available over HTTPS.\r\n        <\/span>-->\r\n        <<\/span>cookieHandler <\/span>mode<\/span>=<\/span>"Custom<\/span>"\r\n                       domain<\/span>=<\/span>".example.com<\/span>"\r\n                       hideFromScript<\/span>=<\/span>"true<\/span>"\r\n                       name<\/span>=<\/span>"FedAuth<\/span>"\r\n                       path<\/span>=<\/span>"\/<\/span>"\r\n                       requireSsl<\/span>=<\/span>"true<\/span>"\r\n                       persistentSessionLifetime<\/span>=<\/span>"60<\/span>">\r\n          <!--\r\n             <\/span><chunkedCookieHandler> may only be present if the cookieHandler\/@mode\r\n             is Default or Chunked. It controls the ChunkedCookieHandler.\r\n             \r\n             ATTRIBUTES\r\n\r\n             chunkSize - Int32 - default 2000\r\n               The maximum size in characters of the HTTP cookie data for any \r\n               one HTTP cookie. Care must be taken when adjusting the chunk size. \r\n               Web browsers have different limits on the size of cookies and number\r\n               per domain. The original Netscape specification stipulated these \r\n               limits: 300 cookies total, 4096 bytes per cookie header (including \r\n               metadata, not just the cookie value), and 20 cookies per domain. \r\n          <\/span>-->\r\n          <<\/span>chunkedCookieHandler <\/span>chunkSize<\/span>=<\/span>"2000<\/span>" \/>\r\n\r\n          <!--\r\n             <\/span><customCookieHandler> may only be present if the cookieManager\/@mode\r\n             is Custom. It references a custom type which must be derived from \r\n             CookieHandler. See the comments before the <configuration> element on\r\n             custom type references.\r\n          <\/span>-->\r\n          <<\/span>customCookieHandler <\/span>type<\/span>=<\/span>"MyNamespace.CustomCookieHandler, MyAssembly<\/span>" \/>\r\n        <\/<\/span>cookieHandler<\/span>>\r\n\r\n      <\/<\/span>federatedAuthentication<\/span>>\r\n\r\n      <!-- \r\n          <\/span>claimsAuthenticationManager - Registers a Authentication Manager for the incoming\r\n          claims. ClaimsAuthenticationManager that echos the incoming claims is provided \r\n          through SimpleClaimsAuthenticationManager. <claimsAuthenticationManager> element\r\n          can be used to register other custom types as well. The element does not provide\r\n          mechanism to add any custom configuration for the defined types.\r\n      <\/span>-->\r\n      <<\/span>claimsAuthenticationManager <\/span>type<\/span>=<\/span>"MyNamespace.CustomClaimsAuthenticationManager, MyAssembly<\/span>"\/>\r\n\r\n      <!-- \r\n          <\/span>claimsAuthorizationManager - Registers a Authorization Manager for the incoming\r\n          claims. \r\n      <\/span>-->\r\n      <<\/span>claimsAuthorizationManager <\/span>type<\/span>=<\/span>"MyNamespace.CustomClaimsAuthenticationManager, MyAssembly<\/span>"\/>\r\n\r\n    <\/<\/span>service<\/span>>\r\n  <\/<\/span>microsoft.identityModel<\/span>>\r\n<\/<\/span>configuration<\/span>>\r\n<\/span><\/pre>\n
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
digg_url = “http:\/\/blogs.msdn.com\/vbertocci\/archive\/2010\/05\/11\/a-hidden-gem-the-wif-config-schema.aspx”;digg_title = “A Hidden Gem: The WIF Config Schema”;digg_bgcolor = “#FFFFFF”;digg_skin = “normal”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined; During the WIF workshops I get various recurring questions: some have open-ended answers which would satisfy my logorrhea but that require A LOT of time to write, others are just…<\/p>\n","protected":false},"author":1,"featured_media":1375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[9,5,4],"tags":[],"class_list":["post-360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-identity","category-wif","category-windows-identity-foundation"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=360"}],"version-history":[{"count":0,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/360\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media\/1375"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}