IdentityServer: Using WS-Federation with JWT Tokens (and symmetric Signatures)

In this post I described how to use IdentityServer to do WS-Federation with JWT tokens. In that post I used the default IdSrv signing certificate to sign the outgoing JWT tokens.

There are scenarios where you don’t have certificates but want to use shared secret based signatures instead. This can be done with the following steps (be sure to read my other post first).

1 Set a symmetric signature for the RP in IdSrv


2 Add a issuer token resolver to the RP
The RP must somehow be able to retrieve the signing key – for that we need an issuer token resolver. Here you map the signing key to the issuer name. The IdSrv issuer name can be found under Site ID in general config.

type=System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver, …

  <securityKey symmetricKey=DiZsT…o=

               name= />



3 Add an entry to the issuer name registry
The last step is to map the signing key to the local issuer name. The new ValidatingIssuerNameRegistry allows to map both thumbprints (for certificate based signatures) and symmetric keys:

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, … ">
  <authority name="">
      <add thumbprint="967…e34" />
      <add symmetricKey="Di…no=" />
      <add name="" />


The full sample can be found here.

This entry was posted in ASP.NET, IdentityServer, WebAPI. Bookmark the permalink.

7 Responses to IdentityServer: Using WS-Federation with JWT Tokens (and symmetric Signatures)

  1. Chris says:

    Will this work with a WCF RP?

  2. Luka says:

    Awesome work.
    Was just gonna cry about not being able to get token encryption working with this passive redirect…but I found the problem and it works now.
    So i guess instead of asking all I can say is AWESOME WORK again :)

  3. Pavel Ivlev says:

    Getting the following exception when tried to run `MVC and Web API (JWT)` sample
    Jwt10332: Audience validation failed. jwt.Audience

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s