I use the ThinkTecture Identity Server to experiment with federated security and claims-based authentication in the Windows Identity Foundation. I launch Identity Server in a separate window using a self-signed certificate created in IIS for SSL and token encryption in Identity Server.
I am running a local MVC application configured to use Identity in Visual Studio 2013, by specifying an identification tool in the FederationMetadata file for Identity Server. Part of this configuration includes a section <trustedIssuers>that includes an identity server certificate fingerprint.
All this is pretty straight forward, but I'm confused about how the fingerprint is used on the client to trust Identity Server. Initially, I thought that somehow the value of the fingerprint was used directly when checking the issued token, but, reading more, I found that the fingerprint is used to search for the actual certificate on my machine. However, as far as I know, I never had to export an Identity Server certificate and install it on my client machine, it just worked.
How does WIF use the fingerprint in this scenario if I do not install the certificate myself?
source
share