The information in this post is based on Windows Identity Foundation Config.xml file that ships with WIF SDK.

<certificateValidation> controls the settings that token handlers will use to validate certificates, unless those handlers have their own validators set.

ATTRIBUTES

• certificateValidationMode. X509CertificateValidationMode value that specifies the validation mode to use for the X.509 certificate. The default value is PeerOrChainTrust.
• revocationMode. X509CertificateRevocationMode type that specifies the revocation mode to use for the X.509 certificate. The default value is Online.
• trustedStoreLocation. X509TrustedStoreLocation type that specifies the X.509 certificate store. The default value is LocalMachine.
• certificateValidator. A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator. If the certificateValidationMode attribute is "Custom", an instance of this type will be used by underlying handlers for certificate validation.

Example

<certificateValidation certificateValidationMode="PeerOrChainTrust"
                             revocationMode="Online"
                             trustedStoreLocation="LocalMachine" >

<certificateValidator> allows for a custom type to be specified for certificate validation. This type will only be used if the certificateValidationMode is set to "Custom"

ATTRIBUTES

• Type. A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator.  This validator will be used by the default SecurityTokenHandler instances, unless those have their own validators set.

Example

<certificateValidator type="CustomType" />

<maximumClockSkew> Controls the maximum allowed clock skew when performing time-sensitive operations such as validating the expiration time of a sign-in session. Defaults to 5 minutes.

Example

<maximumClockSkew value="00:05:00" />

<serviceCertificate> controls the certificate used for token decryption. In the case of an Information Card relying party, this should be the SSL certificate of the web site. Any certificate that is identified must have a private key and the private key must have appropriate access control permissions so that it may be read by the application pool identity.

Example:

<serviceCertificate>
  <certificateReference x509FindType="FindByThumbprint"
                        findValue="97249e1a5fa6bee5e515b82111ef524a4c91583f"
                        storeLocation="LocalMachine"
                        storeName="My" />
</serviceCertificate>

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) Configuration – Part I
• Windows Identity Foundation (WIF) Configuration – Part II (<cookieHandler>, <chunkedCookieHandler>, <customCookieHandler>)
• Windows Identity Foundation (WIF) Configuration – Part III (<wsFederattion>)
• Windows Identity Foundation (WIF) Questions & Answers
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul

Adding OpenID as identity provider using Windows Azure AppFabric Access Control Service (ACS) v2 Management Service is in general similar to the procedures outlined in the following posts:

• Windows Azure AppFabric Access Control Service (ACS) v2 – Programmatically Adding Facebook as an Identity Provider Using Management Service
• Windows Azure AppFabric Access Control Service v2 - Adding Identity Provider Using Management Service (AD FS 2.0)

The key differences are as follows:

• Change protocol type to OpenID

// Create Identity Provider
IdentityProvider identityProvider = new IdentityProvider()
{
    DisplayName = identityProviderName,
    Description = identityProviderName,
    WebSSOProtocolType = "OpenId",
    IssuerId = issuer.Id
};
svc.AddObject("IdentityProviders", identityProvider);

• Remove code related to IdentityProviderKey altogether
• Update sign in address as per your OpenID provider

IdentityProviderAddress signInAddress = new IdentityProviderAddress()
{
    Address = "https://www.myopenid.com/server",
    EndpointType = "SignIn",
    IdentityProvider = identityProvider,
};
svc.AddRelatedObject(identityProvider, "IdentityProviderAddresses", signInAddress);

• Another caveat is when creating rules using Management Portal – you cannot auto generate rules. Instead, create manually at least one pass through rule so that all incoming claims from your OpenID provider will be available. Failure to create at least one rule will result in failure to generate a security token by ACS v2.

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Azure AppFabric Access Control Service (ACS) v2 – Programmatically Adding Facebook as an Identity Provider Using Management Service
• Windows Azure AppFabric Access Control Service v2 - Adding Identity Provider Using Management Service (AD FS 2.0)
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Videos: Windows Azure Security Essentials For Decision Makers, Security Architecture, Access, and Secure Development
• Video: What’s Windows Azure AppFabric Access Control Service (ACS) v2?
• Video: What Windows Azure AppFabric Access Control Service (ACS) v2 Can Do For Me?
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture
• Video: Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites

The information in this post is based on Windows Identity Foundation Config.xml file that ships with WIF SDK.

<wsFederattion> defines parameter settings for WS-Federation protocol STS. This affects the settings for the WSFederationAuthenticationModule.

ATTRIBUTES

• authenticationType. String, default is "". The request wauth type.
• freshness. Float, default is "". The value of the required freshness.
• homeRealm. String, default is "". The home realm of the IdentityProvider
• issuer. String, default is "". The URI of the token issuer.
• policy. String, default is "". The URI of the relevant policy.
• realm. String, default is "". The URI of requesting realm.
• reply. String, default is "". The URI of address to reply to.
• request. String, default is "". The URI of WS-Federation request.
• requestPtr. String, default is "". The URI of WS-Federation request pointer.
• resource. String, default is "". The URI of WS-Federation resource value.
• requireHttps. Boolean, default is true. Controls whether the module will only redirect a secure URL for the STS.
• passiveRedirectEnabled. Boolean, default false. Controls whether the module is enabled to automatically redirect
  unauthorized requests to an STS.
• persistentCookiesOnPassiveRedirects. Boolean, default is false. Specifies whether persistent cookies are issued when the module is enabled to initiate WS-Federation passive protocol redirects.
• signInQueryString. String, default is "". Application defined parameters for the sign in request URL.
• signOutQueryString. String, default is "". Application defined parameters for the sign out request URL.
• signOutReply. String, default is "". URL to return to following sign out.

Example:

      <wsFederation authenticationType="wauth"
                     freshness="45"
                     homeRealm="http://homeRealm"
                     issuer="i"
                     policy="http://policy"
                     realm="http://realm"
                     reply="http://reply"
                     request="http://request"
                     requestPtr="http://requestPtr"
                     resource ="http://resource"
                     requireHttps="true"
                     passiveRedirectEnabled="true"
                     persistentCookiesOnPassiveRedirects="true"
                     signInQueryString="abc=xyz"
                     signOutQueryString="def=uvw"
                     signOutReply="http://signoutreply" />

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) Configuration – Part I
• Windows Identity Foundation (WIF) Configuration – Part II (<cookieHandler>, <chunkedCookieHandler>, <customCookieHandler>)
• Windows Identity Foundation (WIF) Questions & Answers
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul