Windows Identity Foundation 4.5 Configuration

8
votes

We have an application that was originally built with .NET 4.0 and WIF 3.5 (1.0?). I'm in the process of converting it to use WIF 4.5 as we've upgraded the app to .NET 4.5. I've got all the code changes made and have been fighting with the configuration settings. My current dilemma is with the <claimTypeRequired> element. According to this documentation it should be a child of <identityConfiguration>, but when I modify my config to look like this

<system.identityModel>
  <identityConfiguration>
    <claimTypeRequired>
      ...
    </claimTypeRequired>

I get the following error at run-time

Parser Error Message: Unrecognized element 'claimTypeRequired'.

If I just comment out the <claimTypeRequired> block I get past that error but then I'm presented with another problem. We had modified the maximumClockSkew in the existing application via the following configuration

<securityTokenHandlerConfiguration>
  <maximumClockSkew value="1" />
</securityTokenHandlerConfiguration>

The configuration documentation referenced earlier doesn't even mention the maximumClockSkew. I figured I'd try leaving it in to see what happens. What happens is

Parser Error Message: Property 'maximumClockSkew' is not a ConfigurationElement.

But when I look at the SecurityTokenHandlerConfigurationElement class using JustDecompile I can see the property:

[ConfigurationProperty("maximumClockSkew", IsRequired=false, DefaultValue="00:05:00")]
[IdentityModelTimeSpanValidator(MinValueString="00:00:00")]
[TypeConverter(typeof(TimeSpanOrInfiniteConverter))]
public TimeSpan MaximumClockSkew...

So it seems like it's expecting it to be there.

It's almost like Microsoft doesn't actually want us to use this stuff.

3
wif

3 Answers

1
votes

you were almost close this is the answer for setting it in config

 <securityTokenHandlerConfiguration saveBootstrapContext="true" maximumClockSkew="00:35:00" >

It works it sets it to value of 35 minutes here. hh:MM:ss

6
votes

Here's a decompilation of the IdentityConfigurationElement from resharper. You'll notice claimtyperequired is no longer a member of this element. It appears that claimTypeRequired is not part of the schema, despite the fact that it's in Microsoft's documentation.

// Type: System.IdentityModel.Configuration.IdentityConfigurationElement
// Assembly: System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
// Assembly location: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IdentityModel.dll

using System;
using System.ComponentModel;
using System.Configuration;
using System.Runtime;

namespace System.IdentityModel.Configuration
{
  /// <summary>
  /// Represents an &lt;identityConfiguration&gt; element in a configuration file. This class cannot be inherited.
  /// </summary>
  public sealed class IdentityConfigurationElement : ConfigurationElement
  {
    /// <summary>
    /// Initializes a new instance of the <see cref="T:System.IdentityModel.Configuration.IdentityConfigurationElement"/> class.
    /// </summary>
    [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]
    public IdentityConfigurationElement();
    /// <summary>
    /// Gets or sets the name of the identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The name of the identity configuration.
    /// </returns>
    [ConfigurationProperty("name", Options = ConfigurationPropertyOptions.IsKey)]
    [StringValidator(MinLength = 0)]
    public string Name { get; set; }
    /// <summary>
    /// Gets the <see cref="T:System.IdentityModel.Configuration.AudienceUriElementCollection"/> that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The collection of audience URIs that are configured for this identity configuration element.
    /// </returns>
    [ConfigurationProperty("audienceUris", IsRequired = false)]
    public AudienceUriElementCollection AudienceUris { get; }
    /// <summary>
    /// Gets or sets the <see cref="T:System.IdentityModel.Configuration.IdentityModelCachesElement"/> that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The element that configures the token replay cache and the session security token cache for this identity configuration element.
    /// </returns>
    [ConfigurationProperty("caches", IsRequired = false)]
    public IdentityModelCachesElement Caches { get; set; }
    /// <summary>
    /// Gets or sets the <see cref="T:System.IdentityModel.Configuration.X509CertificateValidationElement"/> that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The element that configures the certificate validator and its properties for this identity configuration element.
    /// </returns>
    [ConfigurationProperty("certificateValidation", IsRequired = false)]
    public X509CertificateValidationElement CertificateValidation { get; set; }
    /// <summary>
    /// Gets or sets the claims authentication manager that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// A custom type element that specifies the <see cref="T:System.Type"/> of the claims authentication manager. The type must derive from <see cref="T:System.Security.Claims.ClaimsAuthenticationManager"/>.
    /// </returns>
    [ConfigurationProperty("claimsAuthenticationManager", IsRequired = false)]
    public CustomTypeElement ClaimsAuthenticationManager { get; set; }
    /// <summary>
    /// Gets or sets the claims authorization manager that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// A custom type element that specifies the <see cref="T:System.Type"/> of the claims authorization manager. The type must derive from <see cref="T:System.Security.Claims.ClaimsAuthorizationManager"/>.
    /// </returns>
    [ConfigurationProperty("claimsAuthorizationManager", IsRequired = false)]
    public CustomTypeElement ClaimsAuthorizationManager { get; set; }
    /// <summary>
    /// Gets or sets the <see cref="T:System.IdentityModel.Configuration.IssuerNameRegistryElement"/> that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The element that configures the issuer name registry for this identity configuration element.
    /// </returns>
    [ConfigurationProperty("issuerNameRegistry", IsRequired = false)]
    public IssuerNameRegistryElement IssuerNameRegistry { get; set; }
    /// <summary>
    /// Gets or sets the issuer token resolver that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// A custom type element that specifies the <see cref="T:System.Type"/> of the issuer token resolver. The type must derive from <see cref="T:System.IdentityModel.Selectors.SecurityTokenResolver"/>.
    /// </returns>
    [ConfigurationProperty("issuerTokenResolver", IsRequired = false)]
    public CustomTypeElement IssuerTokenResolver { get; set; }
    /// <summary>
    /// Gets or sets the maximum clock skew that is configured for this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The maximum clock skew.
    /// </returns>
    [TypeConverter(typeof (TimeSpanOrInfiniteConverter))]
    [ConfigurationProperty("maximumClockSkew", DefaultValue = "00:05:00", IsRequired = false)]
    [IdentityModelTimeSpanValidator(MinValueString = "00:00:00")]
    public TimeSpan MaximumClockSkew { get; set; }
    /// <summary>
    /// Gets or sets a value that indicates whether to save the bootstrap context in claims identities and session security tokens created by the handlers configured in this identity collection.
    /// </summary>
    /// 
    /// <returns>
    /// true to save the <see cref="T:System.IdentityModel.Tokens.BootstrapContext"/>; otherwise, false.
    /// </returns>
    [ConfigurationProperty("saveBootstrapContext", DefaultValue = false, IsRequired = false)]
    public bool SaveBootstrapContext { get; set; }
    /// <summary>
    /// Gets or sets the service token resolver that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// A custom type element that specifies the <see cref="T:System.Type"/> of the service token resolver. The type must derive from <see cref="T:System.IdentityModel.Selectors.SecurityTokenResolver"/>.
    /// </returns>
    [ConfigurationProperty("serviceTokenResolver", IsRequired = false)]
    public CustomTypeElement ServiceTokenResolver { get; set; }
    /// <summary>
    /// Gets or sets the <see cref="T:System.IdentityModel.Configuration.TokenReplayDetectionElement"/> that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The element that specifies whether token replay detection is enabled and specifies the maximum expiration period for tokens in the token replay cache.
    /// </returns>
    [ConfigurationProperty("tokenReplayDetection", IsRequired = false)]
    public TokenReplayDetectionElement TokenReplayDetection { get; set; }
    /// <summary>
    /// Gets or sets the <see cref="T:System.IdentityModel.Configuration.SecurityTokenHandlerSetElementCollection"/> that is associated with this identity configuration element.
    /// </summary>
    /// 
    /// <returns>
    /// The security token handler collections configured for this identity configuration element..
    /// </returns>
    [ConfigurationProperty("", Options = ConfigurationPropertyOptions.IsDefaultCollection)]
    public SecurityTokenHandlerSetElementCollection SecurityTokenHandlerSets { get; }
  }
}
2
votes

By the way, if you haven't found out already about the claimTypeRequired attribute in the XML, you can use this as a workaround:

at the top of the config file, put this:

<section name="system.identityModel.services.serialization" type="System.IdentityModel.Services.Serialization , System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

and then around the claimTypeRequired, here's an example:

<system.identityModel.services.serialization>
        <claimTypeRequired>
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true"/>
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true"/>
        </claimTypeRequired>
  </system.identityModel.services.serialization>

Kind regards,