Certificates used by federation servers

  • Article

Applies To: Windows Server 2003 R2

Token-signing certificates

Each federation server uses a token-signing certificate to digitally sign all security tokens that it produces. Because each security token is digitally signed by the account partner, the resource partner can verify that the security token was in fact issued by the account partner and that it was not modified. This helps prevent attackers from forging or modifying security tokens to gain unauthorized access to resources.

Digital signatures on security tokens are also used within the account partner when more than one federation server is used. In this situation the digital signatures verify the origin and integrity of security tokens that are issued by other federation servers within the account partner. The digital signatures are verified with verification certificates.

Note

Each token-signing certificate contains a private key that is associated with the certificate.

Verification certificates

Verification certificates are used to verify that a security token was issued by a valid federation server and that it was not modified. Verification certificates are actually the token-signing certificates of other federation servers.

To verify that a security token was issued by a given federation server and not modified, the federation server must have a verification certificate for the federation server that issued the security token. For example, if federation server A issues a security token and sends the security token to federation server B, federation server B must have a verification certificate (federation server A's token-signing certificate) for federation server A.

Note

Unlike a token-signing certificate, a verification certificate does not contain the private key that is associated with the certificate.

SSL server authentication certificates

The federation server uses Secure Sockets Layer (SSL) server authentication certificates to secure Web services traffic for communication with Web clients or the federation server proxy. These certificates are requested and installed through the Internet Information Services (IIS) snap-in.

For more information about certificates, see Public Key Infrastructure for Windows Server 2003 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=19936).