关于断言的ADFS证书链,与信任点的WIF SP应用程序配置相比 [英] ADFS cert chain on assertions, vs WIF SP application configuration of trust points
问题描述
如果(a)配置为发送证书,并且(b)其EE证书有多个元素,ADFS是否通常在其断言上发送多元素证书链?
Does ADFS normally send a multi-element cert chain on its assertions, if (a) configured to send certs, and (b) its EE cert has multiple elements?
假设ADFS是一个3层证书链,以ADCS管理的自签名证书为根。
lets assume ADFS sens a 3 layer cert chain, rooted at a self-signed cert managed by ADCS.
假设该网站不属于域名。
Assume the website is NOT part of the domain.
当我配置WIF 网站web.config并使用< certificatevalidation mode = NONE />时,我会在身份模型配置中使用哪个指纹?我是否放置了根证书的指纹或EE证书?
When I configure a WIF website web.config and use <certificatevalidation mode=NONE/>, which fingerprint do I use in identity model config? Do I put the root cert's fingerprint, or the EE cert?
显然,将验证模式设为= NONE,我没有放任何东西在任何Windows证书存储区(这是模式= NONE的整点)。
Obviously, having put validation mode=NONE, I dont put anything in any windows cert store (which is the whole point of mode=NONE).
我可以假设在certvalidation mode = none,WIF是STILL检查证书链和/或签名关于EE证书?
Can I assume in certvalidation mode=none that WIF is STILL checking the cert chain, and/or the signatures on the EE cert?
我可以假设,默认情况下,这些情况下的链验证逻辑大致坚持PKIX扩展档案等)?
Can I assume that, by default, the chain validation logic in these cases is roughly insisting on the PKIX profile of extensions, etc)?
推荐答案
我猜你在谈论issuerNameRegistry元素中的指纹?
I guess you are talking about the thumbprint in the issuerNameRegistry element?
你使用签署该令牌的证书的指纹。
You use the thumbprint of the certificate that signed the token.
这篇关于关于断言的ADFS证书链,与信任点的WIF SP应用程序配置相比的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!