问题描述

我迁移窗体身份验证在web表单对面Microsoft身份。

I'm migrating forms authentication in webforms across to Microsoft Identity.

当创建一个 SessionSecurityToken 使用 ClaimsPrincipal CP 对象，我有这样的code：

When creating a SessionSecurityToken using a ClaimsPrincipal cp object, I have this code:

Dim token As New SessionSecurityToken(cp, TimeSpan.FromMinutes(30))

然而，在web.config中我也看到了这一点：

However, in web.config I also see this:

<configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<system.identityModel>
    <identityConfiguration>
        <securityTokenHandlers>
            <add type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
                <sessionTokenRequirement lifetime="00:30:00" /><!-- 30 minutes -->  
            </add>
        </securityTokenHandlers>
    </identityConfiguration>
</system.identityModel>

这些是一回事吗？为了证明我RTFM， sessionTokenRequirement一辈子的：

指定会话令牌的生存期。

SessionSecurityToken一辈子的：

这其间令牌有效当前的时间段。该ValidFrom属性将被设置为UtcNow和ValidTo属性将被设定为ValidFrom加上由该参数指定的周期。

前者看起来模糊，所以我不知道。

The former seems vague, so I'm not sure.

推荐答案

在应用联盟或基于声明的身份验证，有两个实体 - 依赖方（RP）和身份提供者（IDP）

In application federation or claims based authentication, there are two entities - Relying Party (RP) and Identity Provider (IdP)

在微软的世界，ADFS通常是取决于ADFS进行身份验证将是RP境内流离失所者和应用程序。

In Microsoft world, ADFS would typically be the IdP, and your application that depends on ADFS for authentication would be the RP.

在验证，IDP生成一个声明令牌是由的IdP证书签名。 RP接受此声明令牌 - 做不同的验证包括使用的IdP证书的数字签名。一旦索赔成功的验证令牌，RP问题在cookie的形式会话令牌。这个cookie的默认名称为FedAuth。 SessionTokenRequirement寿命参数与FedAuth令牌的生命周期有关。

On authentication, IdP generates a claims token which is signed by IdP certificate. RP accepts this claims token - does various validation including that of digital signature using IdP's certificate. Upon successful validation of claims token, RP issues a session token in the form of a cookie. The default name of this cookie is FedAuth. SessionTokenRequirement lifetime parameter is associated with FedAuth token's lifetime.

SessionSucurityToken寿命与声明令牌由颁发的IdP的生命周期相关的。

SessionSucurityToken lifetime is associated with the lifetime of claims token issued by IdP.

请参考：
http://brockallen.com/2013/02/14/configuring-session-token-lifetime-in-wif-with-the-session-authentication-module-sam-and-thinktecture-identitymodel/

这篇关于是SessionSecurityToken一生一样sessionTokenRequirement一辈子？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！