Claims Issuance Pipeline
[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]
The following diagram shows the sequence of events in which an STS issues a security token.
The STS receives a request for a security token (RST), which it validates in ValidateRequest.
The STS calls GetScope. This method takes the caller’s IClaimsPrincipal and the incoming RST and returns the configuration for the token issuance request, which is represented by the Scope class. This is one of the methods you must implement to create your own STS. In this method, you can normalize the relying party’s address and choose signing and encryption keys. Typically, security tokens are encrypted so that only the relying party can read them. For more information, see Building an STS.
The STS passes the Scope instance to CreateSecurityTokenDescriptor to create an instance of SecurityTokenDescriptor.
The STS calls GetSecurityTokenHandler and gets a SecurityTokenHandler based on the token type and the SecurityTokenServiceConfiguration. For more information see Token Handler Configuration.
The STS calls GetIssuerName to get the name of the token issuer.
The STS calls GetTokenLifetime to get the lifetime of the token, passing in a requested lifetime. It typically requests a lifetime based on the lifetime specified in the RST.
The STS calls GetProofToken, passing in the RST and the Scope instance obtained earlier.
The STS calls GetOutputClaimsIdentity. This method takes the caller’s IClaimsPrincipal, the incoming RST, and the Scope object returned from GetScope, and returns the IClaimsIdentity to be included in the issued token. This is one of the methods you must implement to create your own STS. This lets you decide which claims are included in the token. For more information, see Building an STS.
The STS calls GetDisplayToken, passing in the requested language and the IClaimsIdentity obtained from GetOutputClaimsIdentity.
The STS calls GetResponse, in which it creates the Response to Security Token Request (RSTR) based on the SecurityTokenDescriptor created earlier.