Can anyone explain the purpose of attaching a "scoped certificate" to the ServiceCertificate collection of a WSTrustChannelFactory when talking to ADFS? I've found the code below in an old inherited project, the idea seems to be to use the token signing certificate but it seems to work with any certificate. Will this certificate ever be used?
var wsTrustChannelFactory = new WSTrustChannelFactory(stsBinding, stsAddress);
...
wsTrustChannelFactory.Credentials.ServiceCertificate.ScopedCertificates.Add(
stsAddress.Uri,
stsEncryptionCert);
The uri is http://myadfs/adfs/services/trust/13/windows.
ScopedCertificates represents a collection of X.509 certificates provided by specific services (scoped) for authentication. This collection is typically used to specify the service certificates for Security Token Services in a federated scenario. This collection enables the client to configure the service certificates to use based on the URL of the service it communicates with. This is especially useful in issued token scenarios where a client can be communicating to multiple services (the end service as well as intermediary security token services). For bindings that use certificate-based message security, this certificate is used to encrypt messages to the service, and is expected to be used by the service for signing replies to the client. If a binding requires a certificate for the service and no specific certificate for the service URL is found in the ScopedCertificates, the default certificate is used.