Search

honor Saml2ProtocolSerializer(null) ctor or option to avoid automatic SignatureValidation by Calvin Charles

Active

1
0
Sign in
 to vote
Type: Bug
ID: 690798
Opened: 9/26/2011 12:05:28 AM
Access Restriction: Public
0
Workaround(s)
0
User(s) can reproduce this bug
Even after passing the signatureTokenResolver as null (to indicate signatures should not be validated) still the serializer.ReadMessage(XmlReader) throws SignatureVerificationFailedException. It seems like Saml2SecurityTokenHandler.ReadAssertion calls reader3.TryReadSignature(); which causing EnvelopedSignatureReader.ResolveSigningCredentials() call on EnvelopedSignatureReader.OnEndOfRootElement().
Details (expand)

Describe the problem that you're having.

Need to deserialize the Saml2Message even if the Signature is not valid for auditing purposes, and throwing exception on deserialize is not letting deserialize to complete

What type of impact does this issue have?

Functionality
File Attachments
0 attachments
Sign in to post a comment.
Sign in to post a workaround.
© 2013 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement