在Windows标识基础(WIF)4.5的配置,什么是之间的 issuerNameRegistry
和 certificateValidation
的关系?哪些部分的SAML 2.0断言的每个验证?
In the Windows Identity Foundation (WIF) 4.5 config, what is the relationship between issuerNameRegistry
and certificateValidation
? What portion of a SAML 2.0 assertion is validated by each?
例如:在code和;下面的配置将验证该发行人的证书具有给定的指纹。但我相信一个 certificateValidationMode
不是无将验证一些额外的细节等?
For example: the code & config below will verify that the issuer cert has the given thumbprint. But I assume a certificateValidationMode
other than "None" will validate some additional details?
var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
var token = handlers.ReadToken( myxmlReader );
var identities = handlers.ValidateToken( token );
配置:
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<securityTokenHandlerConfiguration>
<tokenReplayDetection enabled="true" />
<audienceUris>
<add value="https://localhost:1234/MyApp" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
<trustedIssuers>
<add thumbprint="1111111111111" name="http://some.domain/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None"/>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
抑或这只是两个备选方案,以达到相同的目的(确认发行人认为,你信任的证书)。
Or are these just two alternatives to accomplish the same purpose (validating that the issuer hold a certificate that you trust).
IssuerNameRegistry是从指纹查找表来EntityID。该表中只发行人将被信任。
IssuerNameRegistry is a lookup table from Thumbprint to EntityID. Only Issuers in that table will be trusted.
CertificateValidationMode是附加上的表要求顶部。 无是无往不利的最佳设置。因为信任是建立通过元数据,通常不是通过信任链到CA.所以ChainBuilding,CRL等是不相关的。
CertificateValidationMode is additional on top of the table requirement. "None" is almost always the best setting. Because the trust is setup through metadata, normally not through chain trust to a CA. So ChainBuilding, CRL etc. is not relevant.