SamlSecurityTokenHandler.CreateConditions Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Creates the conditions for the assertion.
protected:
virtual System::IdentityModel::Tokens::SamlConditions ^ CreateConditions(System::IdentityModel::Protocols::WSTrust::Lifetime ^ tokenLifetime, System::String ^ relyingPartyAddress, System::IdentityModel::Tokens::SecurityTokenDescriptor ^ tokenDescriptor);
protected virtual System.IdentityModel.Tokens.SamlConditions CreateConditions (System.IdentityModel.Protocols.WSTrust.Lifetime tokenLifetime, string relyingPartyAddress, System.IdentityModel.Tokens.SecurityTokenDescriptor tokenDescriptor);
abstract member CreateConditions : System.IdentityModel.Protocols.WSTrust.Lifetime * string * System.IdentityModel.Tokens.SecurityTokenDescriptor -> System.IdentityModel.Tokens.SamlConditions
override this.CreateConditions : System.IdentityModel.Protocols.WSTrust.Lifetime * string * System.IdentityModel.Tokens.SecurityTokenDescriptor -> System.IdentityModel.Tokens.SamlConditions
Protected Overridable Function CreateConditions (tokenLifetime As Lifetime, relyingPartyAddress As String, tokenDescriptor As SecurityTokenDescriptor) As SamlConditions
Parameters
- tokenLifetime
- Lifetime
The lifetime of the token.
- relyingPartyAddress
- String
The endpoint address for which the token is created. The address is modeled as an AudienceRestriction condition.
- tokenDescriptor
- SecurityTokenDescriptor
The token descriptor.
Returns
A SamlConditions object that contains the conditions for the assertion.
Remarks
Generally, conditions should be included in assertions to limit the impact of misuse of the assertion. Specifying the NotBefore and NotOnOrAfter conditions can limit the period of vulnerability in the case of a compromised assertion. The AudienceRestrictionCondition can be used to explicitly state the intended relying party or parties of the assertion, which coupled with appropriate audience restriction enforcement at relying parties can help to mitigate spoofing attacks between relying parties.
The default implementation creates NotBefore and NotOnOrAfter conditions based on the Lifetime property of the tokenDescriptor
. It will also generate an AudienceRestrictionCondition limiting consumption of the assertion to the AppliesToAddress property of the tokenDescriptor
.