Export (0) Print
Expand All
Expand Minimize

SecurityKeyType Enumeration

Specifies the type of key that is associated with a security token.

Namespace:  System.IdentityModel.Tokens
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

public enum SecurityKeyType

Member nameDescription
AsymmetricKeySpecifies that the key is an asymmetric key.
BearerKeySpecifies that the security token does not contain a proof-of-possession key.
SymmetricKeySpecifies that the key is a symmetric key.

Use the SecurityKeyType enumeration to set the KeyType property.

The BearerKey field is used with the KeyType property.

In federation scenarios, an issued token is generally configured as an endorsing supporting token for message security between a client and the relying parties. However, when a Security Token Service (STS) issues a token with no key (BearerKey), WCF configures it as a SignedEncrypted supporting token (WCF cannot endorse without a key). This requires the issued token to be referenced in the signature. WCF currently uses the following: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:Id as a reference mechanism (Wsu:Id).

If an issued token does not have such an attribute, on a client, a MessageSecurityException is thrown with the text "Element to sign must have id". This happens when a SAML 1.1 token is used as an issued token (the Wsu:Id is not defined in the SAML 1.1 specification).

To work around this situation, either use transport security with message credentials (for example, IssuedTokenOverTransport) or an STS must add the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:Id (Wsu:Id) to the issued token.

Note that if the Wsu:Id is added to a SAML 1.1 token, the resulting XML does not comply to the SAML 1.1 specification. The alternative is to add a Wsu:Id to the EncryptedData which is a result of encrypting the issued token. This procedure complies with the SAML 1.1 specification, because the EncryptedData element supports the Wsu:Id attribute.

So to be compliant with the specification, the bearer token must be encrypted by the STS.

.NET Framework

Supported in: 4.6, 4.5, 4, 3.5, 3.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Show:
© 2014 Microsoft