How do I force SecurityTokenServiceConfiguration to load configuration information from app.config?
I am building an STS with WIF included in .NET 4.5. I myself am adopting this STS (for now) using the class WSTrustServiceHost
. To do this, I do the following:
var conf = new SecurityTokenServiceConfiguration("isser name here", true)
{
DisableWsdl = true,
SecurityTokenService = typeof(MyTokenService),
};
var ct = new WSTrustServiceContract(conf);
var host = new WSTrustServiceHost(ct);
host.Open();
// ...
As you can see, I am passing true
in a loadConfig
constructor parameter SecurityTokenServiceConfiguration
, which as the documentation says:
true to load settings from a configuration file; otherwise, false .
I have an item identityConfiguration
in my config file but it doesn't seem to load. I can make changes to the config file i.e. I can change securityTokenHandlers
and these changes are not reflected in the built SecurityTokenServiceConfiguration
.
In my app.config file I have the following:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="sts_behavior">
<serviceCredentials useIdentityConfiguration="true" identityConfiguration="the_issuer_id">
<serviceCertificate findValue="7A5D7EB05EC741E45BF4EDA7E574F58DC31EF290" x509FindType="FindByThumbprint" storeName="My" storeLocation="LocalMachine" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<ws2007HttpBinding>
<binding name="sts_binding">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="System.ServiceModel.Security.WSTrustServiceContract" behaviorConfiguration="sts_behavior">
<endpoint address="http://my-machine:54512/tokens" binding="ws2007HttpBinding" contract="System.ServiceModel.Security.IWSTrust13SyncContract" bindingConfiguration="sts_binding" />
</service>
</services>
</system.serviceModel>
As you can see, the item <serviceCredentials>
refers to an item <identityConfiguration>
that is present in the config file, and if I change that name to not match that item <identityConfiguration>
, an error occurs when the service host is open. However, this element <identityConfiguration>
is still not in use as I can have <clear/>
security token handlers and the token handler is still in use when the request comes in.
How to set up and self-host a custom STS with minimal software configuration?
source to share
After a lot of research, I found that one of the constructor overloads SecurityTokenServiceConfiguration
allows you to specify the name of the element <identityConfiguration>
from which the configuration is loaded:
//
// Summary:
// Initializes a new instance of the System.IdentityModel.Configuration.SecurityTokenServiceConfiguration
// class that has the specified issuer name and signing credentials. Settings
// are loaded from the specified named configuration.
//
// Parameters:
// issuerName:
// The issuer name. Sets the System.IdentityModel.Configuration.SecurityTokenServiceConfiguration.TokenIssuerName
// property.
//
// signingCredentials:
// The signing credentials for the STS. Sets the System.IdentityModel.Configuration.SecurityTokenServiceConfiguration.SigningCredentials
// property.
//
// serviceName:
// The name of the <identityConfiguration> element from which the configuration
// is to be loaded.
public SecurityTokenServiceConfiguration(string issuerName, SigningCredentials signingCredentials, string serviceName);
source to share