How to: Configure a Local Issuer
This topic describes how to configure a client to use a local issuer for issued tokens.
Often, when a client communicates with a federated service, the service specifies the address of the security token service that is expected to issue the token the client will use to authenticate itself to the federated service. In certain situations, the client may be configured to use a local issuer.
Windows Communication Foundation (WCF) uses a local issuer in cases where the issuer address of a federated binding is http://schemas.microsoft.com/2005/12/ServiceModel/Addressing/Anonymous or null. In such cases, you must configure the ClientCredentials with the address of the local issuer and the binding to use to communicate with that issuer.
|If the SupportInteractive property of the ClientCredentials class is set to true, a local issuer address is not specified, and the issuer address specified by the wsFederationHttpBinding element or other federated binding is http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self, http://schemas.microsoft.com/2005/12/ServiceModel/Addressing/Anonymous, or is null, then the Windows CardSpace issuer is used.|
To configure the local issuer in code
Create a variable of type IssuedTokenClientCredential
Set the variable to the instance returned from the IssuedToken property of the ClientCredentials class. That instance is returned by the ClientCredentials property of the client (inherited from ClientBase) or the Credentials property of the ChannelFactory:
Alternatively, create a new Uri instance as an argument to the constructor.
itcc.LocalIssuerAddress = new EndpointAddress(new Uri("http://fabrikam.com/sts"), addressHeaders);
TheaddressHeaders parameter is an array of AddressHeader instances, as shown.
Set the binding for the local issuer using the LocalIssuerBindingproperty.
Optional. Add configured endpoint behaviors for the local issuer by adding such behaviors to the collection returned by the LocalIssuerChannelBehaviors property.
To configure the local issuer in configuration
Set the address attribute to the address of the local issuer that will accept token requests.
Set the binding and bindingConfiguration attributes to values that reference the appropriate binding to use when communicating with the local issuer endpoint.
Optional. Set the <identity> element as a child of the <localIssuer> element and specify identity information for the local issuer.
Optional. Set the <headers> element as a child of the <localIssuer> element and specify additional headers that are required in order to correctly address the local issuer.
Note that if an issuer address and binding are specified for a given binding, the local issuer is not used for endpoints that use that binding. Clients who expect to always use the local issuer should ensure that they do not use such a binding or that they modify the binding so that the issuer address is null.