问题
In the Windows Identity Foundation (WIF) 4.5 config, what is the relationship between issuerNameRegistry and certificateValidation? What portion of a SAML 2.0 assertion is validated by each?
For example: the code & config below will verify that the issuer cert has the given thumbprint. But I assume a certificateValidationMode other than "None" will validate some additional details?
var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
var token = handlers.ReadToken( myxmlReader );
var identities = handlers.ValidateToken( token );
config:
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<securityTokenHandlerConfiguration>
<tokenReplayDetection enabled="true" />
<audienceUris>
<add value="https://localhost:1234/MyApp" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
<trustedIssuers>
<add thumbprint="1111111111111" name="http://some.domain/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None"/>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
Or are these just two alternatives to accomplish the same purpose (validating that the issuer hold a certificate that you trust).
回答1:
IssuerNameRegistry is a lookup table from Thumbprint to EntityID. Only Issuers in that table will be trusted.
CertificateValidationMode is additional on top of the table requirement. "None" is almost always the best setting. Because the trust is setup through metadata, normally not through chain trust to a CA. So ChainBuilding, CRL etc. is not relevant.
来源:https://stackoverflow.com/questions/28845076/wif-config-issuernameregistry-vs-certificatevalidation