WS_CERT_SIGNED_SAML_AUTHENTICATOR structure (webservices.h)
The type for specifying a SAML token authenticator based on an array of expected issuer certificates. When an authenticator of this type is used, an incoming SAML token will be accepted if only if it has a valid XML signature created with any one of the specified X.509 certificates. Thus, the specified X.509 certificates represent a 'allow list' of trusted SAML issuers.
No revocation or chain trust checks are done by the runtime on the specified certificates: so, it is up to the application to make sure that the certificates are valid before they are specified in this structure.
As indicated above, the validation of the received SAML is limited to making sure that it was signed correctly by one of the specified certificates. The application may then extract the SAML assertion using WsGetMessageProperty with the key WS_MESSAGE_PROPERTY_SAML_ASSERTION and do additional validator or processing.
Syntax
typedef struct _WS_CERT_SIGNED_SAML_AUTHENTICATOR {
WS_SAML_AUTHENTICATOR authenticator;
const _CERT_CONTEXT **trustedIssuerCerts;
#if ...
struct _CERT_CONTEXT;
ULONG trustedIssuerCertCount;
const _CERT_CONTEXT *decryptionCert;
#else
struct _CERT_CONTEXT;
#endif
WS_VALIDATE_SAML_CALLBACK samlValidator;
void *samlValidatorCallbackState;
} WS_CERT_SIGNED_SAML_AUTHENTICATOR;
Members
authenticator
The base type from which this type and all other SAML authenticator types derive.
trustedIssuerCerts
The array of acceptable SAML issuers, identified by their X.509 certificates. This field is required.
The certificate handles are duplicated and the copies are kept for internal use. The application continues to own the certificate handles supplied here and is responsible for freeing them anytime after the listener creation call that uses this structure returns.
_CERT_CONTEXT
trustedIssuerCertCount
The count of X.509 certificates specified in trustedIssuerCerts.
decryptionCert
The certificate for decrypting incoming SAML tokens.
The certificate handle is duplicated and the copy is kept for internal use. The application continues to own the certificate handle supplied here and is responsible for freeing it anytime after the listener creation call that uses this structure returns.
samlValidator
An optional callback to enable the application to additional validation on the SAML assertion if the signature validation passes.
samlValidatorCallbackState
The state to be passed back when invoking the samlValidator callback.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 7 [desktop apps only] |
| Minimum supported server | Windows Server 2008 R2 [desktop apps only] |
| Header | webservices.h |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for