In this post I described how to use IdentityServer to do WS-Federation with JWT tokens. In that post I used the default IdSrv signing certificate to sign the outgoing JWT tokens.

There are scenarios where you don’t have certificates but want to use shared secret based signatures instead. This can be done with the following steps (be sure to read my other post first).

1 Set a symmetric signature for the RP in IdSrv

2 Add a issuer token resolver to the RP
The RP must somehow be able to retrieve the signing key – for that we need an issuer token resolver. Here you map the signing key to the issuer name. The IdSrv issuer name can be found under Site ID in general config.

<issuerTokenResolver 
    type=“System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver, … “>

  <securityKey symmetricKey=“DiZsT…o=“

               name=“http://identityserver.v2.thinktecture.com/samples“ />

</issuerTokenResolver>

3 Add an entry to the issuer name registry
The last step is to map the signing key to the local issuer name. The new ValidatingIssuerNameRegistry allows to map both thumbprints (for certificate based signatures) and symmetric keys:

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, … ">

  <authority name="http://identityserver.v2.thinktecture.com/samples">

    <keys>

      <add thumbprint="967…e34" />

      <add symmetricKey="Di…no=" />

    </keys>

    <validIssuers>

      <add name="http://identityserver.v2.thinktecture.com/samples" />

    </validIssuers>

  </authority>

</issuerNameRegistry>

The full sample can be found here.