I have a WIF RP, with multiple trusted issuers configured, e.g:

<trustedIssuers>
  <add thumbprint="..." name="Issuer1" />
  <add thumbprint="..." name="Issuer2" />
</trustedIssuers>

I'm trying to get hold of which particular issuer a token came from. I was hoping the IssuerNameRegistry.GetIssuerName(...) would do the trick, but it seems to return null unless the supplied token is a an X509SecurityToken.

In the WSFederationAuthenticationModule's SecurityTokenReceived event I observe the following;

The received SamlSecurityToken exposes a SamlAssertion which has a private field _issuerToken, of type X509SecurityToken.

So, the information is there it seems, I'm just not able to get hold of it.

In short, how do I figure out which trusted issuer issued the token? Any help appreciated.

PS! I'm aware that the token has not yet been validated in the SecurityTokenReceived event. I would preferably get this information after the token has been validated.

If I remember correctly, the ClaimsPrincipal has an Issuer property. That might be easier (look in the Identity property (don't have a machine with me right now and can't verify).

Thanks Eugenio, you pointed me in the right direction. Turns out the issuer is included in the claim, in the Claim.Issuer Property, which makes perfect sense when you think about it — you might have claims from different issuers.

So with the example config:

<trustedIssuers>
  <add thumbprint="..." name="Issuer1" />
  <add thumbprint="..." name="Issuer2" />
</trustedIssuers>

The Claim.Issuer property returns "Issuer1" if the claim came from "Issuer1".

Thanks guys.

Have you looked at the other version with the single parameter (http://msdn.microsoft.com/en-us/library/ee747522.aspx)?

It's an abstract method so you'd need to get the concrete version defined by whatever is in the web.config.