How to: Create a Custom Issuer Name Registry
[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]
The following code shows how to create custom issuer name registries for the X509SecurityTokenHandler and for the Saml11SecurityTokenHandler. DBHelper.IsIssuerTokenValid
is a placeholder for a helper method that validates the issuer token.
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens;
class SampleIssuerNameRegistry : IssuerNameRegistry
{
// called by X509SecurityTokenHandler.Validate
public override string GetIssuerName(SecurityToken securityToken)
{
if (!(securityToken is X509SecurityToken))
{
throw new SecurityTokenValidationException("Invalid token.");
}
X509SecurityToken x509Token = securityToken as X509SecurityToken;
// in the X509 case, the X509 token has no notion of issuer name
bool issuerTokenValid = DBHelper.IsIssuerTokenValid(x509Token);
if (!issuerTokenValid)
{
throw new SecurityTokenValidationException("Untrusted issuer token.");
}
return x509Token.Certificate.FriendlyName;
}
// called by Saml11SecurityTokenHandler.Validate and Saml2SecurityTokenHandler.Validate
public override string GetIssuerName(SecurityToken securityToken, string requestedIssuerName)
{
bool issuerTokenValid = DBHelper.IsIssuerTokenValid(securityToken);
if (!issuerTokenValid)
{
throw new SecurityTokenValidationException("Untrusted issuer token.");
}
return requestedIssuerName;
}
public override string GetWindowsIssuerName()
{
return "WINDOWS AUTHORITY";
}
}