<identityConfiguration>
Specifies service-level identity settings.
<configuration>
<system.identityModel>
<identityConfiguration>
Syntax
<system.identityModel>
<identityConfiguration
name=xs:string
saveBootstrapContext=xs:boolean>
maximumClockSkew=TimeSpan >
</identityConfiguration>
</system.identityModel>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
| Attribute | Description |
|---|---|
| name | The name of the identity configuration section. You can use this name to reference a specific configuration section. If no name attribute is specified, the section defines the default configuration. The default configuration is always used for passive federation scenarios. For more information, see the <federationConfiguration> element. |
| saveBootstrapContext | Specifies whether bootstrap tokens should be included in the session token. The value may also be set on a token handler collection by setting the saveBootstrapContext attribute on the <securityTokenHandlerConfiguration> element. A value set on the token handler collection overrides the value set on the service. |
| maximumClockSkew | A TimeSpan that specifies the maximum allowed clock skew. Controls the maximum allowed clock skew when performing time-sensitive operations, such as validating the expiration time of a sign-in session. The default is 5 minutes, "00:05:00". The maximum clock skew may also be set on a token handler collection by setting the maximumClockSkew attribute on the <securityTokenHandlerConfiguration> element. A value set on the token handler collection overrides the value set on the service. |
Child Elements
| Element | Description |
|---|---|
| <caches> | Registers the caches used for session tokens and token replay detection. Can be specified at the service-level or on a security token handler collection. Optional. |
| <certificateValidation> | Controls the settings that token handlers use to validate certificates. Can be specified at the service-level or on a security token handler collection. Optional. |
| <claimsAuthenticationManager> | Registers a claims authentication manager for the incoming claims. Optional. |
| <claimsAuthorizationManager> | Registers a claims authorization manager for the incoming claims. Optional. |
| <claimTypeRequired> | Specifies the set of required claims for incoming security tokens. Optional. |
| <securityTokenHandlers> | Specifies a collection of security token handlers. Zero or more collections of security token handlers can be specified. Optional. |
| <tokenReplayDetection> | Enables token replay detection and specifies the expiration time for tokens. Can be specified at the service-level or on a security token handler collection. Optional. |
Parent Elements
| Element | Description |
|---|---|
| <system.identityModel> | Provides configuration for enabling Windows Identity Foundation (WIF) options in applications. |
Remarks
Multiple identity configurations may be defined, each with a unique name. The behavior is as follows:
If no
<identityConfiguration>element is specified. A default identity configuration is created at runtime and populated with default values.If a single
<identityConfiguration>element is specified. It is the default identity configuration. It does not matter whether it is named or unnamed.If multiple
<identityConfiguration>elements are specified. The unnamed element specifies the default identity configuration. It is recommended that when you specify multiple<identityConfiguration>elements, one of them should be unnamed.
Warning
If you specify multiple <identityConfiguration> elements, one of them should be unnamed. The unnamed element will be the default identity configuration.
Some of the settings specified in the <identityConfiguration> element can be overridden by settings on a security token handler collection or by settings on individual security token handlers.
Important
When using the ClaimsPrincipalPermission or the ClaimsPrincipalPermissionAttribute class to provide claims-based access control in your code, the identity configuration that is referenced by the <federationConfiguration> element configures the claims authorization manager and policy that is used to make authorization decisions. This is true, even in scenarios that are not passive Web scenarios, for example Windows Communication Foundation (WCF) applications or an application that is not Web-based. If the application is not a passive Web application, the <claimsAuthorizationManager> element (and its child policy elements, if present) of the referenced identity configuration are the only settings applied. All other settings are ignored. For more information, see the <federationConfiguration> element.
The <identityConfiguration> element is represented by the IdentityConfigurationElement class. An identity configuration section is represented by the IdentityConfiguration class.
Important
Specifying the following elements as child elements of the <identityConfiguration> element has been deprecated, although the behavior is still supported for backward compatibility. These elements should, instead, be specified under the <securityTokenHandlerConfiguration> element.
Example
The following example creates an identity configuration named "alternateConfiguration". The identity configuration specifies default settings.
<system.identityModel>
<identityConfiguration name="alternateConfiguration"/>
</system.identityModel>