Specifies the type of key that is associated with a security token.
Assembly: System.IdentityModel (in System.IdentityModel.dll)
Specifies that the key is an asymmetric key.
Specifies that the security token does not contain a proof-of-possession key.
Specifies that the key is a symmetric key.
In federation scenarios, an issued token is generally configured as an endorsing supporting token for message security between a client and the relying parties. However, when a Security Token Service (STS) issues a token with no key (BearerKey), WCF configures it as a SignedEncrypted supporting token (WCF cannot endorse without a key). This requires the issued token to be referenced in the signature. WCF currently uses the following: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:Id as a reference mechanism (Wsu:Id).
If an issued token does not have such an attribute, on a client, a MessageSecurityException is thrown with the text "Element to sign must have id". This happens when a SAML 1.1 token is used as an issued token (the Wsu:Id is not defined in the SAML 1.1 specification).
To work around this situation, either use transport security with message credentials (for example, IssuedTokenOverTransport) or an STS must add the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd:Id (Wsu:Id) to the issued token.
Note that if the Wsu:Id is added to a SAML 1.1 token, the resulting XML does not comply to the SAML 1.1 specification. The alternative is to add a Wsu:Id to the EncryptedData which is a result of encrypting the issued token. This procedure complies with the SAML 1.1 specification, because the EncryptedData element supports the Wsu:Id attribute.
So to be compliant with the specification, the bearer token must be encrypted by the STS.
Available since 3.0