How to: Configure a Local Issuer
This topic describes how to configure a client to use a local issuer for issued tokens.
Often, when a client communicates with a federated service, the service specifies the address of the security token service that is expected to issue the token the client will use to authenticate itself to the federated service. In certain situations, the client may be configured to use a local issuer.
Windows Communication Foundation (WCF) uses a local issuer in cases where the issuer address of a federated binding is http://schemas.microsoft.com/2005/12/ServiceModel/Addressing/Anonymous or null. In such cases, you must configure the ClientCredentials with the address of the local issuer and the binding to use to communicate with that issuer.
Note
If the SupportInteractive property of the ClientCredentials class is set to true, a local issuer address is not specified, and the issuer address specified by the <wsFederationHttpBinding> or other federated binding is http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self, http://schemas.microsoft.com/2005/12/ServiceModel/Addressing/Anonymous, or is null, then the Windows CardSpace issuer is used.
To configure the local issuer in code
Create a variable of type IssuedTokenClientCredential
Set the variable to the instance returned from the IssuedToken property of the
ClientCredentialsclass. That instance is returned by the ClientCredentials property of the client (inherited from ClientBase<TChannel>) or the Credentials property of the ChannelFactory:IssuedTokenClientCredential itcc = client.ClientCredentials.IssuedToken;Dim itcc As IssuedTokenClientCredential = client.ClientCredentials.IssuedTokenSet the LocalIssuerAddress property to a new instance of the EndpointAddress, with the address of the local issuer as an argument to the constructor.
itcc.LocalIssuerAddress = new EndpointAddress("http://fabrikam.com/sts");itcc.LocalIssuerAddress = New EndpointAddress("http://fabrikam.com/sts")Alternatively, create a new Uri instance as an argument to the constructor.
itcc.LocalIssuerAddress = new EndpointAddress(new Uri("http://fabrikam.com/sts"), addressHeaders);itcc.LocalIssuerAddress = New EndpointAddress( _ New Uri("http://fabrikam.com/sts"), addressHeaders)The
addressHeadersparameter is an array of AddressHeader instances, as shown.itcc.LocalIssuerAddress = new EndpointAddress( new Uri("http://fabrikam.com/sts"), EndpointIdentity.CreateDnsIdentity("fabrikam.com"), addressHeaders);itcc.LocalIssuerAddress = New EndpointAddress(New Uri("http://fabrikam.com/sts"), _ EndpointIdentity.CreateDnsIdentity("fabrikam.com"), addressHeaders)Set the binding for the local issuer using the LocalIssuerBinding property.
itcc.LocalIssuerBinding = new WSHttpBinding("LocalIssuerBinding");itcc.LocalIssuerBinding = New WSHttpBinding("LocalIssuerBinding")Optional. Add configured endpoint behaviors for the local issuer by adding such behaviors to the collection returned by the LocalIssuerChannelBehaviors property.
itcc.LocalIssuerChannelBehaviors.Add(myEndpointBehavior);itcc.LocalIssuerChannelBehaviors.Add(myEndpointBehavior)
To configure the local issuer in configuration
Create a <localIssuer> element as a child of the <issuedToken> element that is itself a child of the <clientCredentials> element in an endpoint behavior.
Set the
addressattribute to the address of the local issuer that will accept token requests.Set the
bindingandbindingConfigurationattributes to values that reference the appropriate binding to use when communicating with the local issuer endpoint.Optional. Set the <identity> element as a child of the <
localIssuer> element and specify identity information for the local issuer.Optional. Set the <headers> element as a child of the <
localIssuer> element and specify additional headers that are required in order to correctly address the local issuer.
.NET Framework Security
Note that if an issuer address and binding are specified for a given binding, the local issuer is not used for endpoints that use that binding. Clients who expect to always use the local issuer should ensure that they do not use such a binding or that they modify the binding so that the issuer address is null.