Atomia Identity

Configuring STS to allow clients certificate based authentication

21 views 0

Overview

The STS should be aware of the web application’s certificate via which the web application will authenticate to the STS.

Add the information about your web application’s certificate to the web.config of the STS within themicrosoft.identityModel section:

<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add name="CN=Your Web Application Certificate Name" thumbprint="14f8d3701f0121e20a934baf140d712b4d83550d"/>
</trustedIssuers>
</issuerNameRegistry>

The same element should be added in element with xpath configuration\microsoft.identityModel\service\securityTokenHandlers\securityTokenHandlerConfiguration\issuerNameRegistry\trustedIssuers

Change the following properties in the above example:

XML SECTION PROPERTY DESCRIPTION EXAMPLE
issuerNameRegistry -> trustedIssuer name CN value of your web application’s certificate CN=Your Web Application Certificate Name
issuerNameRegistry -> trustedIssuer thumbprint Thumbprint of your web application’s certificate 14f8d3701f0121e20a934baf140d712b4d83550d

To view details of your web application’s certificate use Microsoft Management Console application ( mmc ).

There’s one additional setting that needs to be added to the web.config within the relyingParty section :

<add storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CN=Your Web Application Certificate Name" rpAddress="Your Web Application's address"/>

For the Atomia Identity (STS) we must set which Certificate Provider to use for our web application URI:

<type type="IRpCertProvider" mapTo="AtomiaRpCertificateProvider" name="http://localhost/MvcIdentity">
</type>

Change the following properties in the above example:

XML SECTION PROPERTY DESCRIPTION EXAMPLE
relyingParty -> add findValue CN value of your web application’s certificate CN=Your Web Application Certificate Name
relyingParty -> add rpAddress The address of your web application http://localhost:52144/

Was this helpful?