-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
X509SecurityTokenAuthenticator.xml
329 lines (302 loc) · 27.1 KB
/
X509SecurityTokenAuthenticator.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
<Type Name="X509SecurityTokenAuthenticator" FullName="System.IdentityModel.Selectors.X509SecurityTokenAuthenticator">
<TypeSignature Language="C#" Value="public class X509SecurityTokenAuthenticator : System.IdentityModel.Selectors.SecurityTokenAuthenticator" />
<TypeSignature Language="ILAsm" Value=".class public auto ansi beforefieldinit X509SecurityTokenAuthenticator extends System.IdentityModel.Selectors.SecurityTokenAuthenticator" />
<TypeSignature Language="DocId" Value="T:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" />
<TypeSignature Language="VB.NET" Value="Public Class X509SecurityTokenAuthenticator
Inherits SecurityTokenAuthenticator" />
<TypeSignature Language="F#" Value="type X509SecurityTokenAuthenticator = class
 inherit SecurityTokenAuthenticator" />
<TypeSignature Language="C++ CLI" Value="public ref class X509SecurityTokenAuthenticator : System::IdentityModel::Selectors::SecurityTokenAuthenticator" />
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.ServiceModel.Primitives</AssemblyName>
<AssemblyVersion>6.0.0.0</AssemblyVersion>
<AssemblyVersion>6.2.0.0</AssemblyVersion>
<AssemblyVersion>8.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.Private.ServiceModel</AssemblyName>
<AssemblyVersion>4.10.3.0</AssemblyVersion>
</AssemblyInfo>
<Base>
<BaseTypeName>System.IdentityModel.Selectors.SecurityTokenAuthenticator</BaseTypeName>
</Base>
<Interfaces />
<Docs>
<summary>Authenticates an <see cref="T:System.IdentityModel.Tokens.X509SecurityToken" />.</summary>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
Use the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator> class to authenticate <xref:System.IdentityModel.Tokens.X509SecurityToken> security tokens.
]]></format>
</remarks>
</Docs>
<Members>
<MemberGroup MemberName=".ctor">
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<Docs>
<summary>Initializes a new instance of the <see cref="T:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" /> class.</summary>
</Docs>
</MemberGroup>
<Member MemberName=".ctor">
<MemberSignature Language="C#" Value="public X509SecurityTokenAuthenticator ();" />
<MemberSignature Language="ILAsm" Value=".method public hidebysig specialname rtspecialname instance void .ctor() cil managed" />
<MemberSignature Language="DocId" Value="M:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.#ctor" />
<MemberSignature Language="VB.NET" Value="Public Sub New ()" />
<MemberSignature Language="C++ CLI" Value="public:
 X509SecurityTokenAuthenticator();" />
<MemberType>Constructor</MemberType>
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.ServiceModel.Primitives</AssemblyName>
<AssemblyVersion>8.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.Private.ServiceModel</AssemblyName>
<AssemblyVersion>4.10.3.0</AssemblyVersion>
</AssemblyInfo>
<Parameters />
<Docs>
<summary>Initializes a new instance of the <see cref="T:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" /> class.</summary>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
When the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method is called to authenticate the token, the X.509 certificate is not mapped to a Windows identity and the certificate is validated using a certificate chain.
]]></format>
</remarks>
</Docs>
</Member>
<Member MemberName=".ctor">
<MemberSignature Language="C#" Value="public X509SecurityTokenAuthenticator (System.IdentityModel.Selectors.X509CertificateValidator validator);" />
<MemberSignature Language="ILAsm" Value=".method public hidebysig specialname rtspecialname instance void .ctor(class System.IdentityModel.Selectors.X509CertificateValidator validator) cil managed" />
<MemberSignature Language="DocId" Value="M:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.#ctor(System.IdentityModel.Selectors.X509CertificateValidator)" />
<MemberSignature Language="VB.NET" Value="Public Sub New (validator As X509CertificateValidator)" />
<MemberSignature Language="F#" Value="new System.IdentityModel.Selectors.X509SecurityTokenAuthenticator : System.IdentityModel.Selectors.X509CertificateValidator -> System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" Usage="new System.IdentityModel.Selectors.X509SecurityTokenAuthenticator validator" />
<MemberSignature Language="C++ CLI" Value="public:
 X509SecurityTokenAuthenticator(System::IdentityModel::Selectors::X509CertificateValidator ^ validator);" />
<MemberType>Constructor</MemberType>
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.ServiceModel.Primitives</AssemblyName>
<AssemblyVersion>8.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.Private.ServiceModel</AssemblyName>
<AssemblyVersion>4.10.3.0</AssemblyVersion>
</AssemblyInfo>
<Parameters>
<Parameter Name="validator" Type="System.IdentityModel.Selectors.X509CertificateValidator" />
</Parameters>
<Docs>
<param name="validator">A <see cref="T:System.IdentityModel.Selectors.X509CertificateValidator" /> that verifies that the certificate is valid.</param>
<summary>Initializes a new instance of the <see cref="T:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" /> class using the specified certificate validator.</summary>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
The <xref:System.IdentityModel.Selectors.X509CertificateValidator> class provides a set of pre-defined certificate validation models, such as the <xref:System.IdentityModel.Selectors.X509CertificateValidator.ChainTrust%2A> property. These validation models can be passed to the `validator` parameter. When an application requires a custom validation method, derive a class from <xref:System.IdentityModel.Selectors.X509CertificateValidator> and override the <xref:System.IdentityModel.Selectors.X509CertificateValidator.Validate%28System.Security.Cryptography.X509Certificates.X509Certificate2%29> method. The <xref:System.IdentityModel.Selectors.X509CertificateValidator.Validate%28System.Security.Cryptography.X509Certificates.X509Certificate2%29> method is called by the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method.
By default, the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator> does not map the X.509 certificate to a Windows identity.
]]></format>
</remarks>
</Docs>
</Member>
<Member MemberName=".ctor">
<MemberSignature Language="C#" Value="public X509SecurityTokenAuthenticator (System.IdentityModel.Selectors.X509CertificateValidator validator, bool mapToWindows);" />
<MemberSignature Language="ILAsm" Value=".method public hidebysig specialname rtspecialname instance void .ctor(class System.IdentityModel.Selectors.X509CertificateValidator validator, bool mapToWindows) cil managed" />
<MemberSignature Language="DocId" Value="M:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.#ctor(System.IdentityModel.Selectors.X509CertificateValidator,System.Boolean)" />
<MemberSignature Language="VB.NET" Value="Public Sub New (validator As X509CertificateValidator, mapToWindows As Boolean)" />
<MemberSignature Language="F#" Value="new System.IdentityModel.Selectors.X509SecurityTokenAuthenticator : System.IdentityModel.Selectors.X509CertificateValidator * bool -> System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" Usage="new System.IdentityModel.Selectors.X509SecurityTokenAuthenticator (validator, mapToWindows)" />
<MemberSignature Language="C++ CLI" Value="public:
 X509SecurityTokenAuthenticator(System::IdentityModel::Selectors::X509CertificateValidator ^ validator, bool mapToWindows);" />
<MemberType>Constructor</MemberType>
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.Private.ServiceModel</AssemblyName>
<AssemblyVersion>4.10.3.0</AssemblyVersion>
</AssemblyInfo>
<Parameters>
<Parameter Name="validator" Type="System.IdentityModel.Selectors.X509CertificateValidator" Index="0" FrameworkAlternate="netframework-3.0;netframework-3.5;netframework-4.0;netframework-4.5;netframework-4.5.1;netframework-4.5.2;netframework-4.6;netframework-4.6.1;netframework-4.6.2;netframework-4.7;netframework-4.7.1;netframework-4.7.2;netframework-4.8;netframework-4.8.1;netstandard-2.0" />
<Parameter Name="mapToWindows" Type="System.Boolean" Index="1" FrameworkAlternate="netframework-3.0;netframework-3.5;netframework-4.0;netframework-4.5;netframework-4.5.1;netframework-4.5.2;netframework-4.6;netframework-4.6.1;netframework-4.6.2;netframework-4.7;netframework-4.7.1;netframework-4.7.2;netframework-4.8;netframework-4.8.1;netstandard-2.0" />
</Parameters>
<Docs>
<param name="validator">A <see cref="T:System.IdentityModel.Selectors.X509CertificateValidator" /> that verifies that the certificate is valid.</param>
<param name="mapToWindows">
<see langword="true" /> to map the identity of the certificate to a Windows identity; otherwise, <see langword="false" />.</param>
<summary>Initializes a new instance of the <see cref="T:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" /> class using the specified certificate validation method and indicates whether the identity of the certificate is mapped to a Windows identity.</summary>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
The <xref:System.IdentityModel.Selectors.X509CertificateValidator> class provides a set of pre-defined certificate validation models, such as the <xref:System.IdentityModel.Selectors.X509CertificateValidator.ChainTrust%2A> property. These validation models can be passed to the `validator` parameter. When an application requires a custom validation method, derive a class from <xref:System.IdentityModel.Selectors.X509CertificateValidator> and override the <xref:System.IdentityModel.Selectors.X509CertificateValidator.Validate%28System.Security.Cryptography.X509Certificates.X509Certificate2%29> method. The <xref:System.IdentityModel.Selectors.X509CertificateValidator.Validate%28System.Security.Cryptography.X509Certificates.X509Certificate2%29> method is called by the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method.
When the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method is called to authenticate the token and `mapToWindows` is `true`, the X.509 certificate is mapped to a Windows account and claims are added to the <xref:System.IdentityModel.Policy.EvaluationContext> with the Windows groups that the user belongs to. How the X.509 certificate is mapped to a Windows account depends upon the security token type:
- When the security token is of type <xref:System.IdentityModel.Tokens.X509WindowsSecurityToken>, the X.509 certificate is mapped using the <xref:System.IdentityModel.Tokens.X509WindowsSecurityToken.WindowsIdentity%2A> property.
- When the security token is of type `X509SecurityToken`, the X.509 certificate is mapped to a Windows account using its user principal name (UPN).
]]></format>
</remarks>
</Docs>
</Member>
<Member MemberName=".ctor">
<MemberSignature Language="C#" Value="public X509SecurityTokenAuthenticator (System.IdentityModel.Selectors.X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups);" />
<MemberSignature Language="ILAsm" Value=".method public hidebysig specialname rtspecialname instance void .ctor(class System.IdentityModel.Selectors.X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups) cil managed" />
<MemberSignature Language="DocId" Value="M:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.#ctor(System.IdentityModel.Selectors.X509CertificateValidator,System.Boolean,System.Boolean)" />
<MemberSignature Language="VB.NET" Value="Public Sub New (validator As X509CertificateValidator, mapToWindows As Boolean, includeWindowsGroups As Boolean)" />
<MemberSignature Language="F#" Value="new System.IdentityModel.Selectors.X509SecurityTokenAuthenticator : System.IdentityModel.Selectors.X509CertificateValidator * bool * bool -> System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" Usage="new System.IdentityModel.Selectors.X509SecurityTokenAuthenticator (validator, mapToWindows, includeWindowsGroups)" />
<MemberSignature Language="C++ CLI" Value="public:
 X509SecurityTokenAuthenticator(System::IdentityModel::Selectors::X509CertificateValidator ^ validator, bool mapToWindows, bool includeWindowsGroups);" />
<MemberType>Constructor</MemberType>
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.Private.ServiceModel</AssemblyName>
<AssemblyVersion>4.10.3.0</AssemblyVersion>
</AssemblyInfo>
<Parameters>
<Parameter Name="validator" Type="System.IdentityModel.Selectors.X509CertificateValidator" Index="0" FrameworkAlternate="netframework-3.0;netframework-3.5;netframework-4.0;netframework-4.5;netframework-4.5.1;netframework-4.5.2;netframework-4.6;netframework-4.6.1;netframework-4.6.2;netframework-4.7;netframework-4.7.1;netframework-4.7.2;netframework-4.8;netframework-4.8.1;netstandard-2.0" />
<Parameter Name="mapToWindows" Type="System.Boolean" Index="1" FrameworkAlternate="netframework-3.0;netframework-3.5;netframework-4.0;netframework-4.5;netframework-4.5.1;netframework-4.5.2;netframework-4.6;netframework-4.6.1;netframework-4.6.2;netframework-4.7;netframework-4.7.1;netframework-4.7.2;netframework-4.8;netframework-4.8.1;netstandard-2.0" />
<Parameter Name="includeWindowsGroups" Type="System.Boolean" Index="2" FrameworkAlternate="netframework-3.0;netframework-3.5;netframework-4.0;netframework-4.5;netframework-4.5.1;netframework-4.5.2;netframework-4.6;netframework-4.6.1;netframework-4.6.2;netframework-4.7;netframework-4.7.1;netframework-4.7.2;netframework-4.8;netframework-4.8.1;netstandard-2.0" />
</Parameters>
<Docs>
<param name="validator">A <see cref="T:System.IdentityModel.Selectors.X509CertificateValidator" /> that verifies that the certificate is valid.</param>
<param name="mapToWindows">
<see langword="true" /> to map the identity of the certificate to a Windows identity; otherwise, <see langword="false" />.</param>
<param name="includeWindowsGroups">
<see langword="true" /> to include the groups the Windows user belongs to in the <see cref="P:System.IdentityModel.Policy.AuthorizationContext.ClaimSets" /> property that is constructed throughout the authentication process; otherwise, <see langword="false" />.</param>
<summary>Initializes a new instance of the <see cref="T:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator" /> class using the specified certificate validation method and indicates whether the identity of the certificate is mapped to a Windows identity and the Windows groups the user belongs to.</summary>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
Pass `false` to the `includeWindowsGroups` parameter when the Windows group information is not required to improve performance.
The <xref:System.IdentityModel.Selectors.X509CertificateValidator> class has several static properties, such as the <xref:System.IdentityModel.Selectors.X509CertificateValidator.ChainTrust%2A> property that can be passed to the `validator` parameter. These properties provide common validation methods for X.509 certificates. When a custom validation method is required, derive a class from <xref:System.IdentityModel.Selectors.X509CertificateValidator> and override the <xref:System.IdentityModel.Selectors.X509CertificateValidator.Validate%28System.Security.Cryptography.X509Certificates.X509Certificate2%29> method. The <xref:System.IdentityModel.Selectors.X509CertificateValidator.Validate%28System.Security.Cryptography.X509Certificates.X509Certificate2%29> method is called by the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method.
When `true` is passed into the `mapToWindows` parameter, the X.509 certificate is mapped to a Windows account and relevant claims are added to the <xref:System.IdentityModel.Policy.EvaluationContext>, such as the Windows groups that the user belongs to. When the security token is of type <xref:System.IdentityModel.Tokens.X509WindowsSecurityToken>, the <xref:System.IdentityModel.Tokens.X509WindowsSecurityToken.WindowsIdentity%2A> property is using the identity that is specified in the token; otherwise, the X.509 certificate is mapped to a Windows identity using a Kerberos S4U logon based on the user principal name SubjectAltNames extension of the X.509 certificate.
]]></format>
</remarks>
</Docs>
</Member>
<Member MemberName="CanValidateTokenCore">
<MemberSignature Language="C#" Value="protected override bool CanValidateTokenCore (System.IdentityModel.Tokens.SecurityToken token);" />
<MemberSignature Language="ILAsm" Value=".method familyhidebysig virtual instance bool CanValidateTokenCore(class System.IdentityModel.Tokens.SecurityToken token) cil managed" />
<MemberSignature Language="DocId" Value="M:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.CanValidateTokenCore(System.IdentityModel.Tokens.SecurityToken)" />
<MemberSignature Language="VB.NET" Value="Protected Overrides Function CanValidateTokenCore (token As SecurityToken) As Boolean" />
<MemberSignature Language="F#" Value="override this.CanValidateTokenCore : System.IdentityModel.Tokens.SecurityToken -> bool" Usage="x509SecurityTokenAuthenticator.CanValidateTokenCore token" />
<MemberSignature Language="C++ CLI" Value="protected:
 override bool CanValidateTokenCore(System::IdentityModel::Tokens::SecurityToken ^ token);" />
<MemberType>Method</MemberType>
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.ServiceModel.Primitives</AssemblyName>
<AssemblyVersion>8.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.Private.ServiceModel</AssemblyName>
<AssemblyVersion>4.10.3.0</AssemblyVersion>
</AssemblyInfo>
<ReturnValue>
<ReturnType>System.Boolean</ReturnType>
</ReturnValue>
<Parameters>
<Parameter Name="token" Type="System.IdentityModel.Tokens.SecurityToken" />
</Parameters>
<Docs>
<param name="token">The <see cref="T:System.IdentityModel.Tokens.SecurityToken" /> to be validated.</param>
<summary>Gets a value that indicates whether the specified security token can be validated by this security token authenticator.</summary>
<returns>
<see langword="true" /> when <paramref name="token" /> is a <see cref="T:System.IdentityModel.Tokens.X509SecurityToken" /> security token or a class that derives from <see cref="T:System.IdentityModel.Tokens.X509SecurityToken" />; otherwise, <see langword="false" />.</returns>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
The <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.CanValidateTokenCore%2A> method does not authenticate the security token; that is performed by the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method.
]]></format>
</remarks>
</Docs>
</Member>
<Member MemberName="MapCertificateToWindowsAccount">
<MemberSignature Language="C#" Value="public bool MapCertificateToWindowsAccount { get; }" />
<MemberSignature Language="ILAsm" Value=".property instance bool MapCertificateToWindowsAccount" />
<MemberSignature Language="DocId" Value="P:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.MapCertificateToWindowsAccount" />
<MemberSignature Language="VB.NET" Value="Public ReadOnly Property MapCertificateToWindowsAccount As Boolean" />
<MemberSignature Language="F#" Value="member this.MapCertificateToWindowsAccount : bool" Usage="System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.MapCertificateToWindowsAccount" />
<MemberSignature Language="C++ CLI" Value="public:
 property bool MapCertificateToWindowsAccount { bool get(); };" />
<MemberType>Property</MemberType>
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<ReturnValue>
<ReturnType>System.Boolean</ReturnType>
</ReturnValue>
<Docs>
<summary>Gets a value that indicates whether to map the X.509 certificate to a Windows account.</summary>
<value>
<see langword="true" /> to map the X.509 certificate to a Windows account; otherwise, <see langword="false" />.</value>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
The <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.MapCertificateToWindowsAccount%2A> property can only be set in a constructor.
If transport-level SSL or HTTPS security is being used and mapping is already provided by the underlying security channel or by Internet Information Services (IIS), then that mapping is applied with no chain validation. Otherwise, prior to doing the mapping, the certificate is validated using a certificate chain, and the certificate must chain to an NT_AUTHORITY identity. The chain structure used corresponds to the CERT_CHAIN_POLICY_NT_AUTH as defined in the [CertVerifyCertificateChainPolicy function](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy). This behavior only occurs when mapping a certificate to a Windows account.
]]></format>
</remarks>
</Docs>
</Member>
<Member MemberName="ValidateTokenCore">
<MemberSignature Language="C#" Value="protected override System.Collections.ObjectModel.ReadOnlyCollection<System.IdentityModel.Policy.IAuthorizationPolicy> ValidateTokenCore (System.IdentityModel.Tokens.SecurityToken token);" />
<MemberSignature Language="ILAsm" Value=".method familyhidebysig virtual instance class System.Collections.ObjectModel.ReadOnlyCollection`1<class System.IdentityModel.Policy.IAuthorizationPolicy> ValidateTokenCore(class System.IdentityModel.Tokens.SecurityToken token) cil managed" />
<MemberSignature Language="DocId" Value="M:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(System.IdentityModel.Tokens.SecurityToken)" />
<MemberSignature Language="VB.NET" Value="Protected Overrides Function ValidateTokenCore (token As SecurityToken) As ReadOnlyCollection(Of IAuthorizationPolicy)" />
<MemberSignature Language="F#" Value="override this.ValidateTokenCore : System.IdentityModel.Tokens.SecurityToken -> System.Collections.ObjectModel.ReadOnlyCollection<System.IdentityModel.Policy.IAuthorizationPolicy>" Usage="x509SecurityTokenAuthenticator.ValidateTokenCore token" />
<MemberSignature Language="C++ CLI" Value="protected:
 override System::Collections::ObjectModel::ReadOnlyCollection<System::IdentityModel::Policy::IAuthorizationPolicy ^> ^ ValidateTokenCore(System::IdentityModel::Tokens::SecurityToken ^ token);" />
<MemberType>Method</MemberType>
<AssemblyInfo>
<AssemblyName>System.IdentityModel</AssemblyName>
<AssemblyVersion>3.0.0.0</AssemblyVersion>
<AssemblyVersion>4.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.ServiceModel.Primitives</AssemblyName>
<AssemblyVersion>8.0.0.0</AssemblyVersion>
</AssemblyInfo>
<AssemblyInfo>
<AssemblyName>System.Private.ServiceModel</AssemblyName>
<AssemblyVersion>4.10.3.0</AssemblyVersion>
</AssemblyInfo>
<ReturnValue>
<ReturnType>System.Collections.ObjectModel.ReadOnlyCollection<System.IdentityModel.Policy.IAuthorizationPolicy></ReturnType>
</ReturnValue>
<Parameters>
<Parameter Name="token" Type="System.IdentityModel.Tokens.SecurityToken" />
</Parameters>
<Docs>
<param name="token">The <see cref="T:System.IdentityModel.Tokens.SecurityToken" /> to be validated.</param>
<summary>Authenticates the specified security token and returns the set of authorization policies for the security token.</summary>
<returns>A <see cref="T:System.Collections.ObjectModel.ReadOnlyCollection`1" /> of type <see cref="T:System.IdentityModel.Policy.IAuthorizationPolicy" /> that contains the set of authorization policies in effect for this application.</returns>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
When the <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method is overridden, follow these guidelines:
- When the security token passed into the `token` parameter cannot be validated, throw the <xref:System.IdentityModel.Tokens.SecurityTokenValidationException> exception.
- When there are no authorization policies in effect for this application, return an empty <xref:System.Collections.ObjectModel.ReadOnlyCollection%601> of type <xref:System.IdentityModel.Policy.IAuthorizationPolicy>.
When this method returns `null`, Windows Communication Foundation throws a <xref:System.IdentityModel.Tokens.SecurityTokenValidationException> exception.
The <xref:System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore%2A> method calls the <xref:System.IdentityModel.Selectors.X509CertificateValidator.Validate%28System.Security.Cryptography.X509Certificates.X509Certificate2%29> method of the validation method specified in the constructor to authenticate the `token` parameter.
]]></format>
</remarks>
</Docs>
</Member>
</Members>
</Type>