How to: Perform Trust Management using FedUtil

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

This topic shows how to perform trust management using FedUtil. FedUtil is a tool for establishing trust from relying party (RP) applications to security token services (STSes). Trust management is about maintaining the trust relationships between RPs and their STSes. For more information about FedUtil, see FedUtil - Federation Utility for Establishing Trust from an RP to an STS.

How to Schedule Metadata Updates Using FedUtil

First, use FedUtil to establish trust from an ASP.NET or WCF relying party application to an existing STS, as described in Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil and Establishing Trust from a WCF Relying Party Service to an STS using FedUtil. Continue to the Summary page.

104f1b7c-f19e-43bf-a6aa-9eb4d92f3532

The Summary page includes a checkbox labeled “Schedule daily metadata updates for this application”. If you check this checkbox, FedUtil schedules a task to run at 12:00 AM every day. If you want to run the task more than once a day, you can update the task in the Task Scheduler. You can find the Task Scheduler in the Control Panel under Administrative Tools. If you have configured multiple RP applications with FedUtil, you might see multiple tasks.

The task retrieves the STS’s federation metadata and updates the application’s configuration with the updated metadata. If the STS signing certificate has been updated, the task updates the issuerNameRegistry element in the application’s configuration.

If the STS’s federation metadata is updated shortly after the metadata update task runs, you’ll need to run FedUtil and update the application’s configuration file manually. To see how to do this, see the section “Update Federation Metadata” in Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil or Establishing Trust from a WCF Relying Party Service to an STS using FedUtil.

Note that if the list of claims offered by the STS has changed, you’ll need to update the RP application’s configuration manually to change the claims it requests.

When the task runs, it creates a log file in the same folder as the RP application’s web.config file. The Task Scheduler shows whether the task succeeded or failed.