Certificates are the crucial elements in the security of claims-based applications. They are used for signing and encrypting tokens that are transmitted across the security boundaries, safeguarding the communication from security threats such as man-in-the-middle attacks and eavesdropping.
This recipe shows the concepts of deploying certificates and retrieving them to create the signing credentials and the proof tokens that will be used throughout the course of this book.
To configure the certificates for claims-based applications, perform the following steps:
makecert
command:makecert -r -pe -n "CN= SamlTokenSigningCertificate" -b 01/01/2010 -e
01/01/2012 -sky exchange -ss my
A self-signed certificate with the SamlTokenSigningCertificate
subject is generated and stored in the My
store. The private key is marked exportable.
X509CertificateHelper
class and add a static method—GetValidCertificateFromStore
that accepts the subject name, store location, and the valid time as parameters, and returns the X509 certificate from the store:public static X509Certificate2 GetValidCertificateFromStore(StoreLocation location, DateTime timeValid, string subjectDistinguishedName) { X509Store store = new X509Store(location); try { store.Open(OpenFlags.ReadOnly); X509Certificate2Collection validCertificates = store.Certificates.Find(X509FindType.FindByTimeValid, timeValid, false); X509Certificate2Collection signingCertificate = validCertificates.Find(X509FindType.FindBySubjectDistinguishedName, subjectDistinguishedName, false); if (signingCertificate.Count == 0) return null; return signingCertificate[0]; } finally { store.Close(); } }
A collection of the certificates that are valid for the specified date is retrieved and a lookup is performed using the unique subject. The method shown here makes a very target-specific search. There could be overloaded methods that are more generic in nature. An example would be to look for matching (contains string) subjects. The X509FindType.FindBySubjectName
search criteria could be used for such purpose. The retrieved certificate will be used to create a digital signature for the token (discussed in the Designing claims-based tokens using Security Assertion Markup Language recipe earlier in this chapter).
You can have a look at the Cryptographic Tasks article at http://msdn.microsoft.com/en-us/library/7yx4d854.aspx to learn more about the cryptographic operations that can be performed using Microsoft CryptoAPI.
A proof token is used by the requestor to authenticate, in order to get GenericXmlSecurityToken
from the issuer. A good overview of the proof tokens is provided by Vittorio Bertocci from MSFT in his blog at http://blogs.msdn.com/b/vbertocci/archive/2008/01/02/on-prooftokens.aspx.