UserNameSecurityTokenAuthenticator Class

Authenticates a UserNameSecurityToken security token.

Namespace:  System.IdentityModel.Selectors
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

public abstract class UserNameSecurityTokenAuthenticator : SecurityTokenAuthenticator

Override the UserNameSecurityTokenAuthenticator class to authenticate security tokens based on a user name and password.

The Windows Communication Foundation (WCF) ships with the following classes that provide support for authenticating UserNameSecurityToken security tokens.




Allows an application to provide a custom authentication scheme for user names and passwords. The authentication scheme is provided using a class deriving from the UserNamePasswordValidator class.


Authenticates the user name and password as a Windows account.

Most custom authentication schemes can use the use the CustomUserNameSecurityTokenAuthenticator class and implement a class that derives from the UserNamePasswordValidator class. However, if additional flexibility is needed, you can derive a class from the UserNameSecurityTokenAuthenticator class and override the ValidateUserNamePasswordCore method.

using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Principal;
using System.ServiceModel.Security;
using System.Text.RegularExpressions;

namespace Microsoft.ServiceModel.Samples
    class MyTokenAuthenticator : UserNameSecurityTokenAuthenticator
        static bool IsRogueDomain(string domain)
            return false;
        static bool IsEmail(string inputEmail)

            string strRegex = @"^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}" +
                  @"\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\" +
            Regex re = new Regex(strRegex);
            if (re.IsMatch(inputEmail))
                return (true);
                return (false);

        bool ValidateUserNameFormat(string UserName)
            if (!IsEmail(UserName))
                Console.WriteLine("Not a valid email");
                return false;
            string[] emailAddress = UserName.Split('@');
            string user = emailAddress[0];
            string domain = emailAddress[1];
            if (IsRogueDomain(domain))
                return false;
            return true;   
        protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password)
            if (!ValidateUserNameFormat(userName))
                throw new SecurityTokenValidationException("Incorrect UserName format");

            ClaimSet claimSet = new DefaultClaimSet(ClaimSet.System, new Claim(ClaimTypes.Name, userName, Rights.PossessProperty));
            List<IIdentity> identities = new List<IIdentity>(1);
            identities.Add(new GenericIdentity(userName));
            List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
            policies.Add(new UnconditionalPolicy(ClaimSet.System, claimSet, DateTime.MaxValue.ToUniversalTime(), identities));
            return policies.AsReadOnly();

    class UnconditionalPolicy : IAuthorizationPolicy
        String id = Guid.NewGuid().ToString();
        ClaimSet issuer;
        ClaimSet issuance;
        DateTime expirationTime;
        IList<IIdentity> identities;

        public UnconditionalPolicy(ClaimSet issuer, ClaimSet issuance, DateTime expirationTime, IList<IIdentity> identities)
            if (issuer == null)
                throw new ArgumentNullException("issuer");
            if (issuance == null)
                throw new ArgumentNullException("issuance");

            this.issuer = issuer;
            this.issuance = issuance;
            this.identities = identities;
            this.expirationTime = expirationTime;

        public string Id
            get { return; }

        public ClaimSet Issuer
            get { return this.issuer; }

        public DateTime ExpirationTime
            get { return this.expirationTime; }

        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
            evaluationContext.AddClaimSet(this, this.issuance);

            if (this.identities != null)
                object value;
                IList<IIdentity> contextIdentities;
                if (!evaluationContext.Properties.TryGetValue("Identities", out value))
                    contextIdentities = new List<IIdentity>(this.identities.Count);
                    evaluationContext.Properties.Add("Identities", contextIdentities);
                    contextIdentities = value as IList<IIdentity>;
                foreach (IIdentity identity in this.identities)

            return true;

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft