Configures the list of trusted issuer certificates used by the configuration-based issuer name registry (ConfigurationBasedIssuerNameRegistry).
<system.identityModel> <identityConfiguration> <securityTokenHandlers> <securityTokenHandlerConfiguration> <issuerNameRegistry> <trustedIssuers> <add thumbprint=xs:string name=xs:string> <clear> <remove thumbprint=xs:string> </trustedIssuers> </issuerNameRegistry> </securityTokenHandlerConfiguration> </securityTokenHandlers> </identityConfiguration> </system.identityModel>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
||Adds a certificate to the collection of trusted issuers. The certificate is specified with the
||Clears all certificates from the collection of trusted issuers.|
||Removes a certificate from the collection of trusted issuers. The certificate is specified with the
|<issuerNameRegistry>||Configures the issuer name registry. Important: The
Windows Identity Foundation (WIF) provides a single implementation of the IssuerNameRegistry class out of the box, the ConfigurationBasedIssuerNameRegistry class. The configuration issuer name registry maintains a list of trusted issuers that is loaded from configuration. The list associates each issuer name with the X.509 certificate that is needed to verify the signature of tokens produced by the issuer. The list of trusted issuer certificates is specified under the
<trustedIssuers> element. Each element in the list associates a mnemonic issuer name with the X.509 certificate that is needed to verify the signature of tokens produced by that issuer. Trusted certificates are specified using the ASN.1 encoded form of the certificate thumbprint and are added the collection by using
<add> element. You can clear or remove issuers (certificates) from the list by using the
type attribute of the
<issuerNameRegistry> element must reference the ConfigurationBasedIssuerNameRegistry class for the
<trustedIssuers> element to be valid.
The following XML shows how to specify the configuration based issuer name registry.
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=18.104.22.168, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <trustedIssuers> <add thumbprint="9B74CB2F32 … B1DC01EF40D0" name="LocalSTS" /> </trustedIssuers> </issuerNameRegistry>