How to: Configure Token Resolvers

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

A security token resolver is used to translate between a security key identifier and an actual security token. Typically, security key identifiers are sent on the wire because the tokens are known out of band.

To configure the token resolvers on a token handler, you must know what certificates will be used to sign the tokens or messages that the service expects to receive. Each token handler has two token resolvers:

  1. A Service Token Resolver, which stores a list of certificates that are known to the service, with regard to its own identity. These certificates are used to resolve the encryption token on incoming messages and tokens.

  2. An Issuer Token Resolver, which stores a list of certificates that are known to the service, with regard to issuers that the service trusts. These certificates are used to resolve the signing token on incoming security tokens and messages.

Token resolvers can’t be configured declaratively. The following code shows how to create and configure token resolvers programmatically.

SecurityTokenHandlerCollection collection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
        
// Create the service token resolver from the service certificate.
List<SecurityToken> serviceTokens = new List<SecurityToken>();
// This service certificate is considered to have been defined elsewhere
serviceTokens.Add(new X509SecurityToken(serviceCertificate));
SecurityTokenResolver serviceResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false);
collection.Configuration.ServiceTokenResolver = serviceResolver;

// Create an issuer token resolver that consults the trusted people store.
X509CertificateStoreTokenResolver certificateStoreIssuerResolver = new X509CertificateStoreTokenResolver(StoreName.TrustedPeople, StoreLocation.LocalMachine);
collection.Configuration.IssuerTokenResolver = certificateStoreIssuerResolver;