Specifies service-level identity settings.
<system.identityModel> <identityConfiguration name=xs:string saveBootstrapContext=xs:boolean> maximumClockSkew=TimeSpan > </identityConfiguration> </system.identityModel>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
|name||The name of the identity configuration section. You can use this name to reference a specific configuration section. If no
|saveBootstrapContext||Specifies whether bootstrap tokens should be included in the session token. The value may also be set on a token handler collection by setting the
|maximumClockSkew||A TimeSpan that specifies the maximum allowed clock skew. Controls the maximum allowed clock skew when performing time-sensitive operations, such as validating the expiration time of a sign-in session. The default is 5 minutes, "00:05:00". For more information about how to specify TimeSpan values, see Timespan Values. The maximum clock skew may also be set on a token handler collection by setting the
|<caches>||Registers the caches used for session tokens and token replay detection. Can be specified at the service-level or on a security token handler collection. Optional.|
|<certificateValidation>||Controls the settings that token handlers use to validate certificates. Can be specified at the service-level or on a security token handler collection. Optional.|
|<claimsAuthenticationManager>||Registers a claims authentication manager for the incoming claims. Optional.|
|<claimsAuthorizationManager>||Registers a claims authorization manager for the incoming claims. Optional.|
|<claimTypeRequired>||Specifies the set of required claims for incoming security tokens. Optional.|
|<securityTokenHandlers>||Specifies a collection of security token handlers. Zero or more collections of security token handlers can be specified. Optional.|
|<tokenReplayDetection>||Enables token replay detection and specifies the expiration time for tokens. Can be specified at the service-level or on a security token handler collection. Optional.|
|<system.identityModel>||Provides configuration for enabling Windows Identity Foundation (WIF) options in applications.|
Multiple identity configurations may be defined, each with a unique name. The behavior is as follows:
<identityConfiguration>element is specified. A default identity configuration is created at runtime and populated with default values.
If a single
<identityConfiguration>element is specified. It is the default identity configuration. It does not matter whether it is named or unnamed.
<identityConfiguration>elements are specified. The unnamed element specifies the default identity configuration. It is recommended that when you specify multiple
<identityConfiguration>elements, one of them should be unnamed.
If you specify multiple
<identityConfiguration> elements, one of them should be unnamed. The unnamed element will be the default identity configuration.
Some of the settings specified in the
<identityConfiguration> element can be overridden by settings on a security token handler collection or by settings on individual security token handlers.
When using the ClaimsPrincipalPermission or the ClaimsPrincipalPermissionAttribute class to provide claims-based access control in your code, the identity configuration that is referenced by the
<federationConfiguration> element configures the claims authorization manager and policy that is used to make authorization decisions. This is true, even in scenarios that are not passive Web scenarios, for example Windows Communication Foundation (WCF) applications or an application that is not Web-based. If the application is not a passive Web application, the <claimsAuthorizationManager> element (and its child policy elements, if present) of the referenced identity configuration are the only settings applied. All other settings are ignored. For more information, see the <federationConfiguration> element.
Specifying the following elements as child elements of the
<identityConfiguration> element has been deprecated, although the behavior is still supported for backward compatibility. These elements should, instead, be specified under the <securityTokenHandlerConfiguration> element.
The following example creates an identity configuration named "alternateConfiguration". The identity configuration specifies default settings.
<system.identityModel> <identityConfiguration name="alternateConfiguration"/> </system.identityModel>