<signingCertificate> Element

Optional element of the identityProvider element.

The certificate that the identity provider uses to sign its messages. The certificate can either be loaded from file if the fileName attribute is specified or from a certificate store if the other attributes are specified. If a fileName is specified that will take precedence and the other attributes will be ignored.

Warning

File-based certificates are only recommended for testing and during development. In production environments it is better to use the certificate store.

Attributes

fileName
A file name to load the certificate from. The path is relative to the execution path of the application. Make sure to heed the warning above – best to use store-based certificates for non-development environments.
storeName
Name of the certificate store to search for the certificate. It is recommended to keep the certificate of the identity provider in the “Other People” store which is specified by the AddressBook enum value. Valid values are those from the System.Security.Cryptography.X509Certificates.StoreName enumeration.
storeLocation
The location of the store to search for the certificate. On production services it is recommended to use the LocalMachine value, while it makes more sense to use CurrentUser in development setups. Valid values are those from the System.Security.Cryptography.X509Certificates.StoreLocation enumeration.
findValue
A search term to use to find the certificate. The value will be searched for in the field specified by the x509FindType attribute.
x509FindType

The field that will be seach for a match to the value in findValue. For security, it is recommended to use FindBySerialNumber.

Valid values are those from the System.Security.Cryptography.X509Certificates.X509FindType enumeration.

Warning

There is a nasty bug when copying a serial number from the certificate info displayed by certificate manager and the browser. There is a hidden character before the first hex digit that will mess up the matching. Once pasted into the config, use the arrow keys to make sure that there is not an additional invisible character at the start of the serial number string.