This documentation is archived and is not being maintained.

<TokenIssuer> Element (WSE for Microsoft .NET) (1)

Specifies a trusted security token service.

<policyDocument> Element
  <policies> Element
    <Policy> Element (WSE for Microsoft .NET) (1)
      <Confidentiality> Element
        <KeyInfo> Element (WSE for Microsoft .NET) (1)
          <SecurityToken> Element
            <policyDocument> Element
              <policies> Element
                <Policy> Element (WSE for Microsoft .NET) (1)
                  <Integrity> Element
                    <TokenInfo> Element
                      <SecurityToken> Element




Child Elements


Parent Elements

Element Description

A text value is required. The text value is the URL for the security token service.

Use the <TokenIssuer> element to specify the security token service when using security tokens, such as a SecurityContextToken, that are issued from a security token service. For details about issuing and using security tokens, as outlined in the WS-SecureConversation specification, see Issuing Security Tokens. The value of the <TokenIssuer> element is the URL to the security token service.

When the <TokenIssuer> element is used to specify the Certificate Authority (CA) for an X.509 certificate, the value of the element is formatted differently than what appears in the Microsoft Management Console (MMC). The value that must be placed in the <TokenIssuer> element maps to the Issuer field that appears on the Details tab of the Certificates Snap-in within MMC. If you copy the value of the Issuer field from the MMC, the value has to be reversed prior to placement in the <TokenIssuer> element. For example, if the value of the Issuer field is CN=CertServer DC=corp DC=contoso DC=com, then the value that must be added to the <TokenIssuer> element is: DC=com DC=contoso DC=corp CN=CertServer.

The following code example defines a policy assertion named signed-body-sct that requires the digital signing of the <Body> element, timestamp header, and all addressing headers by a SecurityContextToken issued from the security token service. SOAP messages sent the endpoint must adhere to this policy assertion.

This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="">
    <endpoint uri="">
        <request policy="#signed-body-sct" />
        <response policy="" />
        <!-- SOAP faults are signed using the original Security Context Token -->
        <fault policy="#signed-body-sct " />
  <policies xmlns:wsu=""
    <!--This policy requires that the body be signed with a
    <wsp:Policy wsu:Id="signed-body-sct">
      <wssp:Integrity wsp:Usage="wsp:Required">
        <wssp:MessageParts xmlns:rp="" Dialect="">wsp:Body() wse:Timestamp() wse:Addressing()</wssp:MessageParts>