what is KeyIdentifier used for?

Question

 

I created a SAML token signed it using X509 certificate and serilized it to XML

 

What is KeyIdentifier used for? Is it the public key used to decrypt the token?

<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">W6QZ8TBjeMzd2YdBldib7pOVvT8=

Thanks

 

 

 

 

 

 

---

ajit

Answer 1

The key identifier for signatures is a hint for the receiver of the token. This hint must be sufficient enough for the receiver to fetch the right key material to verify the signature.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 2

Thanks for the reponse can you please explain little bit more how key identifier is used to fetch right key material and verify the signature and how to do this programatically?

 

 

---

ajit

Answer 3

There are multiple possible key identifiers - e.g. a thumbprint or the complete certificate is embedded inside the token / signature.

On the receiving end - the SecurityTokenResolver classes are used to fetch the right key material (e.g. from the certificate store or re-hydrate the cert from the embedded base64 string inside the token)l.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com