<knownCertificates>

Represents a collection of X.509 certificates that are provided to authenticate security credentials issued from a Security Token Service (STS).

Schema Hierarchy

<system.serviceModel>
  <behaviors>
    <serviceBehaviors>
      <behavior> of <serviceBehaviors>
        <serviceCredentials>
          <issuedTokenAuthentication> of <serviceCredentials>
            <knownCertificates>

Syntax

<knownCertificates> 
      <add findValue="String"
         storeLocation="CurrentUser/LocalMachine"
          storeName=" CurrentUser/LocalMachine"
           x509FindType="FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindBySerialNumber/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier"/>
</knownCertificates>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements

Attributes

None.

Child Elements

Element Description

<add> of <knownCertificates>

Adds an X.509 certificate to the collection.

Parent Elements

Element Description

<issuedTokenAuthentication> of <serviceCredentials>

Specifies a token issued as a service credential.

Remarks

The issued token scenario has three stages. In the first stage, a client trying to access a service is referred to a secure token service. The secure token service then authenticates the client and subsequently issues the client a token, typically a Security Assertions Markup Language (SAML) token. The client then returns to the service with the token. The service examines the token for data that allows the service to authenticate the token and therefore the client. To authenticate the token, the certificate the secure token service uses must be known to the service.

The <issuedTokenAuthentication> of <serviceCredentials> element is the repository for any such secure token service certificates. To add certificates, use the <knownCertificates>. Insert an <add> of <knownCertificates> for each certificate, as shown in the following example.

<issuedTokenAuthentication>
   <knownCertificates>
      <add findValue="www.contoso.com" 
           storeLocation="LocalMachine" storeName="My" 
           X509FindType="FindBySubjectName" />
    </knownCertificates>
</issuedTokenAuthentication>

By default, the certificates must be obtained from a secure token service. These "known" certificates ensure that only legitimate clients can access a service.

To review conditions required for a client to be authenticated by a federated service, as well as more information on using this configuration element, see How to: Configure Credentials on a Federation Service. For more information about federated scenarios, see Federation and SAML.

For an example that shows how to populate the collection in configuration, see <add> of <knownCertificates>.

See Also

Reference

<add> of <knownCertificates>
<issuedTokenAuthentication> of <serviceCredentials>
<add> of <knownCertificates>
SamlSecurityTokenAuthenticator
AllowedAudienceUris
AudienceUriMode
KnownCertificates
X509CertificateTrustedIssuerElementCollection
X509CertificateTrustedIssuerElement
KnownCertificates

Other Resources

Security Behaviors in Windows Communication Foundation
How to: Configure Credentials on a Federation Service
Working with Certificates
Federation and SAML
Securing Services and Clients


© 2007 Microsoft Corporation. All rights reserved.
Last Published: 2010-01-05