SecurityKeyType 枚举


指定与安全令牌关联的密钥的类型。Specifies the type of key that is associated with a security token.

public enum class SecurityKeyType
public enum SecurityKeyType
type SecurityKeyType = 
Public Enum SecurityKeyType


AsymmetricKey 1

指定密钥是非对称密钥。Specifies that the key is an asymmetric key.

BearerKey 2

指定安全令牌不包含所有权证明密钥。Specifies that the security token does not contain a proof-of-possession key.

SymmetricKey 0

指定密钥是对称密钥。Specifies that the key is a symmetric key.


使用 SecurityKeyType 枚举可设置 KeyType 属性。Use the SecurityKeyType enumeration to set the KeyType property.

BearerKey 字段与 KeyType 属性一起使用。The BearerKey field is used with the KeyType property.

BearerKey 需要 Wsu:Id 或使用消息凭据的传输安全BearerKey Requires Wsu:Id or Transport Security with Message Credentials

在联合方案中,通常将颁发的令牌配置为保证客户端和依赖方之间消息安全的认可支持令牌。In federation scenarios, an issued token is generally configured as an endorsing supporting token for message security between a client and the relying parties. 但是, 当安全令牌服务 (STS) 发出没有密钥 (为 bearerkey 并且) 的令牌时, wcf 会将其配置为SecurityTokenAttachmentMode.SignedEncrypted支持令牌 (wcf 在没有密钥的情况下无法认可)。However, when a Security Token Service (STS) issues a token with no key (BearerKey), WCF configures it as a SecurityTokenAttachmentMode.SignedEncrypted supporting token (WCF cannot endorse without a key). 这要求在签名中引用颁发的令牌。This requires the issued token to be referenced in the signature. WCF 当前使用以下内容:作为引用机制 (Wsu: Id)。WCF currently uses the following: as a reference mechanism (Wsu:Id).

如果颁发的令牌没有此类属性,则会在客户端上引发 MessageSecurityException 并显示文本“要签名的元素必须有 ID”。If an issued token does not have such an attribute, on a client, a MessageSecurityException is thrown with the text "Element to sign must have id". 将 SAML 1.1 令牌用作颁发的令牌时,就会发生这种情况(SAML 1.1 规范中没有定义 Wsu:Id)。This happens when a SAML 1.1 token is used as an issued token (the Wsu:Id is not defined in the SAML 1.1 specification).

若要解决这种情况, 请使用带有消息凭据的传输安全 (例如AuthenticationMode.IssuedTokenOverTransport), 或者 STS 必须将 (Wsu: Id) 添加到已颁发的令牌。To work around this situation, either use transport security with message credentials (for example, AuthenticationMode.IssuedTokenOverTransport), or an STS must add the (Wsu:Id) to the issued token.

请注意,如果将 Wsu:Id 添加到 SAML 1.1 令牌中,生成的 XML 将不符合 SAML 1.1 规范。Note that if the Wsu:Id is added to a SAML 1.1 token, the resulting XML does not comply to the SAML 1.1 specification. 一种替代办法是将 Wsu:Id 添加到 EncryptedData 中,后者是在加密颁发的令牌时生成的。The alternative is to add a Wsu:Id to the EncryptedData which is a result of encrypting the issued token. 此过程符合 SAML 1.1 规范,因为 EncryptedData 元素支持 Wsu:Id 属性。This procedure complies with the SAML 1.1 specification, because the EncryptedData element supports the Wsu:Id attribute.

因此,为了与规范保持一致,STS 必须对持有者令牌进行加密。So to be compliant with the specification, the bearer token must be encrypted by the STS.