SecurityKeyType SecurityKeyType SecurityKeyType SecurityKeyType Enum


Specifies the type of key that is associated with a security token.

public enum class SecurityKeyType
public enum SecurityKeyType
type SecurityKeyType = 
Public Enum SecurityKeyType


AsymmetricKey AsymmetricKey AsymmetricKey AsymmetricKey 1

Specifies that the key is an asymmetric key.

BearerKey BearerKey BearerKey BearerKey 2

Specifies that the security token does not contain a proof-of-possession key.

SymmetricKey SymmetricKey SymmetricKey SymmetricKey 0

Specifies that the key is a symmetric key.


Use the SecurityKeyType enumeration to set the KeyType property.

The BearerKey field is used with the KeyType property.

BearerKey Requires Wsu:Id or Transport Security with Message Credentials

In federation scenarios, an issued token is generally configured as an endorsing supporting token for message security between a client and the relying parties. However, when a Security Token Service (STS) issues a token with no key (BearerKey), WCF configures it as a SecurityTokenAttachmentMode supporting token (WCF cannot endorse without a key). This requires the issued token to be referenced in the signature. WCF currently uses the following: as a reference mechanism (Wsu:Id).

If an issued token does not have such an attribute, on a client, a MessageSecurityException is thrown with the text "Element to sign must have id". This happens when a SAML 1.1 token is used as an issued token (the Wsu:Id is not defined in the SAML 1.1 specification).

To work around this situation, either use transport security with message credentials (for example, AuthenticationMode) or an STS must add the (Wsu:Id) to the issued token.

Note that if the Wsu:Id is added to a SAML 1.1 token, the resulting XML does not comply to the SAML 1.1 specification. The alternative is to add a Wsu:Id to the EncryptedData which is a result of encrypting the issued token. This procedure complies with the SAML 1.1 specification, because the EncryptedData element supports the Wsu:Id attribute.

So to be compliant with the specification, the bearer token must be encrypted by the STS.

Applies to