问题
I'm migrating forms authentication in webforms across to Microsoft Identity.
When creating a SessionSecurityToken using a ClaimsPrincipal cp object, I have this code:
Dim token As New SessionSecurityToken(cp, TimeSpan.FromMinutes(30))
However, in web.config I also see this:
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<add type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
<sessionTokenRequirement lifetime="00:30:00" /><!-- 30 minutes -->
</add>
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
Are these the same thing? To prove I RTFM, sessionTokenRequirement lifetime is defined as:
Specifies the lifetime of session tokens.
SessionSecurityToken lifetime is defined as:
The period from the current time during which the token is valid. The ValidFrom property will be set to UtcNow and the ValidTo property will be set to ValidFrom plus the period specified by this parameter.
The former seems vague, so I'm not sure.
回答1:
In application federation or claims based authentication, there are two entities - Relying Party (RP) and Identity Provider (IdP)
In Microsoft world, ADFS would typically be the IdP, and your application that depends on ADFS for authentication would be the RP.
On authentication, IdP generates a claims token which is signed by IdP certificate. RP accepts this claims token - does various validation including that of digital signature using IdP's certificate. Upon successful validation of claims token, RP issues a session token in the form of a cookie. The default name of this cookie is FedAuth. SessionTokenRequirement lifetime parameter is associated with FedAuth token's lifetime.
SessionSucurityToken lifetime is associated with the lifetime of claims token issued by IdP.
Please refer: http://brockallen.com/2013/02/14/configuring-session-token-lifetime-in-wif-with-the-session-authentication-module-sam-and-thinktecture-identitymodel/
http://msdn.microsoft.com/en-us/library/hh568645(v=vs.110).aspx
来源:https://stackoverflow.com/questions/27015996/is-sessionsecuritytoken-lifetime-the-same-as-sessiontokenrequirement-lifetime