关于断言的ADFS证书链，与信任点的WIF SP应用程序配置相比 [英] ADFS cert chain on assertions, vs WIF SP application configuration of trust points

问题描述

如果（a）配置为发送证书，并且（b）其EE证书有多个元素，ADFS是否通常在其断言上发送多元素证书链？

Does ADFS normally send a multi-element cert chain on its assertions, if (a) configured to send certs, and (b) its EE cert has multiple elements?

假设ADFS是一个3层证书链，以ADCS管理的自签名证书为根。

lets assume ADFS sens a 3 layer cert chain, rooted at a self-signed cert managed by ADCS.

假设该网站不属于域名。

Assume the website is NOT part of the domain.

当我配置WIF 网站web.config并使用< certificatevalidation mode = NONE />时，我会在身份模型配置中使用哪个指纹？我是否放置了根证书的指纹或EE证书？

When I configure a WIF website web.config and use <certificatevalidation mode=NONE/>, which fingerprint do I use in identity model config? Do I put the root cert's fingerprint, or the EE cert?

 

显然，将验证模式设为= NONE，我没有放任何东西在任何Windows证书存储区（这是模式= NONE的整点）。

Obviously, having put validation mode=NONE, I dont put anything in any windows cert store (which is the whole point of mode=NONE).

我可以假设在certvalidation mode = none，WIF是STILL检查证书链和/或签名关于EE证书？

Can I assume in certvalidation mode=none that WIF is STILL checking the cert chain, and/or the signatures on the EE cert?

 

我可以假设，默认情况下，这些情况下的链验证逻辑大致坚持PKIX扩展档案等）？

Can I assume that, by default, the chain validation logic in these cases is roughly insisting on the PKIX profile of extensions, etc)?

 

 

推荐答案

我猜你在谈论issuerNameRegistry元素中的指纹？

I guess you are talking about the thumbprint in the issuerNameRegistry element?

你使用签署该令牌的证书的指纹。

You use the thumbprint of the certificate that signed the token.

 

这篇关于关于断言的ADFS证书链，与信任点的WIF SP应用程序配置相比的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！