<scopedCertificates> Element

Represents a collection of X.509 certificates provided by specific services (scoped) for authentication. This collection is typically used to specify the service certificates for Security Token Services in a federated scenario.

Schema Hierarchy

<system.serviceModel>
  <behaviors>
    <endpointBehaviors>
      <behavior> of <endpointBehaviors>
        <clientCredentials>
          <serviceCertificate> of <serviceCredentials>
            <scopedCertificates> Element
              <add> of <scopedCertificates> Element

Syntax

<scopedCertificates>
      <add findValue="String"
                storeLocation="CurrentUser/LocalMachine"
                storeName=" CurrentUser/LocalMachine"
                targetUri="string"
            x509Type="FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindBySerialNumber/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier" /> 
</scopedCertificates> 

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

None.

Child Elements

Element	Description
<add> of <scopedCertificates> Element	Adds an X.509 certificate to the collection of scoped certificates.

Parent Elements

Element	Description
<serviceCertificate> of <serviceCredentials>	Specifies a certificate to use when authenticating a service to the client.

Remarks

This collection enables the client to configure the service certificates to use based on the URL of the service it communicates with. This is especially useful in issued token scenarios where a client can be communicating to multiple services (the end service as well as intermediary security token services). For bindings that use certificate-based message security, this certificate is used to encrypt messages to the service, and is expected to be used by the service for signing replies to the client.

If a binding requires a certificate for the service and no specific certificate for the service URL is found in the ScopedCertificates, the default certificate is used.

For more information, see the "Scoped Certificates" section of How To: Create a Federated Client.

Example

The following example specifies a service certificate for the client to use when communicating with endpoints whose domain name is https://www.contoso.com over the HTTP protocol.

<serviceCertificate>
  <scopedCertificates>
     <add targetUri="https://www.contoso.com" 
          findValue="www.contoso.com" storeLocation="LocalMachine"
                  storeName="Root" x509FindType="FindByIssuerName" />
  </scopedCertificates>
</serviceCertificate>

See Also

Reference

<add> of <scopedCertificates> Element
ScopedCertificates
X509ScopedServiceCertificateElementCollection
X509ScopedServiceCertificateElement
X509CertificateRecipientClientCredential
ScopedCertificates

Other Resources

Working with Certificates
How To: Create a Federated Client
Securing Clients
Securing Services and Clients