Question
I've been using the ThinkTecture Identity Server to experiment with federated security and claims based authentication in Windows Identity Foundation. I'm running Identity Server on a separate box, using a self-signed certificate created in IIS for SSL and encrypting tokens in Identity Server.
I'm running a local MVC application, configured to use Identity in Visual Studio 2013 by pointing the identity tool to the FederationMetadata file for Identity Server. Part of this configuration includes a <trustedIssuers> section, which includes the thumbprint of the certificate of the Identity Server.
All that is pretty straight forward, but I'm confused as to how the thumbprint is being used on the client to trust the Identity Server. Originally, I thought that somehow the thumbprint value was used directly in validating the token issued, but reading more into it I've found that the thumbprint is used to look up the actual certificate on my machine. However, to my knowledge I never had to export the Identity Server certificate and install it on my client machine, it just worked.
How is WIF using the thumbprint in this scenario, if I do not actually install the certificate myself?
Solution
By default - the public key to validate the signature is embedded in the token response - that means the RP does
This way you don't need to deploy the cert on the RP.
https://stackoverflow.com/questions/21894975
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian