Claims Issuance Pipeline
[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]
The following diagram shows the sequence of events in which an STS issues a security token.
The STS receives a request for a security token (RST), which it validates in ValidateRequest.
The STS calls GetScope. This method takes the caller’s IClaimsPrincipal and the incoming RST and returns the configuration for the token issuance request, which is represented by the Scope class. This is one of the methods you must implement to create your own STS. In this method, you can normalize the relying party’s address and choose signing and encryption keys. Typically, security tokens are encrypted so that only the relying party can read them. For more information, see Building an STS.
The STS calls GetIssuerName to get the name of the token issuer.
The STS calls GetTokenLifetime to get the lifetime of the token, passing in a requested lifetime. It typically requests a lifetime based on the lifetime specified in the RST.
The STS calls GetOutputClaimsIdentity. This method takes the caller’s IClaimsPrincipal, the incoming RST, and the Scope object returned from GetScope, and returns the IClaimsIdentity to be included in the issued token. This is one of the methods you must implement to create your own STS. This lets you decide which claims are included in the token. For more information, see Building an STS.