Share via


<securityTokenHandlers>

Specifies a collection of security token handlers that are registered with the endpoint.

<configuration>
  <system.identityModel>
    <identityConfiguration>
      <securityTokenHandlers>

Syntax

<system.identityModel>  
  <identityConfiguration>  
    <securityTokenHandlers>  
    </securityTokenHandlers>  
  </identityConfiguration>  
</system.identityModel>  

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute Description
name Specifies the name of a token handler collection. The only values recognized by the framework are "ActAs" and "OnBehalfOf". If token handler collections are specified with either of these names, the collection will be used when processing ActAs or OnBehalfOf tokens respectively.

Child Elements

Element Description
<add> Adds a security token handler to the token handler collection.
<clear> Clears all security token handlers from the token handler collection.
<remove> Removes a security token handler from the token handler collection.
<securityTokenHandlerConfiguration> Provides configuration for the collection of token handlers.

Parent Elements

Element Description
<identityConfiguration> Specifies service-level identity settings.

Remarks

You can specify one or more named collections of security token handlers in a service configuration. You can specify a name for a collection by using the name attribute. The only names that the framework handles are "ActAs" and "OnBehalfOf". If handlers exist in these collections, they are used by a security token service (STS) instead of the default handlers when processing ActAs and OnBehalfOf tokens.

By default, the collection is populated with the following handler types: SamlSecurityTokenHandler, Saml2SecurityTokenHandler, KerberosSecurityTokenHandler, WindowsUserNameSecurityTokenHandler, RsaSecurityTokenHandler, X509SecurityTokenHandler, and EncryptedSecurityTokenHandler. You can modify the collection by using the <add>, <remove>, and <clear> elements. You must ensure that only a single handler of any particular type exists in the collection. For example, if you derive a handler from the Saml2SecurityTokenHandler class, either your handler or the Saml2SecurityTokenHandler may be configured in a single collection, but not both.

Use the <securityTokenHandlerConfiguration> element to specify configuration settings for the handlers in the collection. Settings specified through this element override those specified on the service through the <identityConfiguration> element. Some handlers (including several of the built-in handler types) can support additional configuration through a child element of the <add> element. Settings specified on a handler override equivalent settings specified on the collection or the service.