0

We are using STS token for claims based identity. I found that following method validates the token from STS and generates claims. FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token) 1.Does this method validate the token against the schema provided by OASIS?
2.If so how does it know which schema it has to validate against? becasue there are multiple schemas (like 1.1, 1.2).
Or Am I asking wrong question.. Do we need not validate the token against schema?

Thanks in adavance

ahmed.sowdagar
  • 39
  • 4

1 Answers1

0

You should assume that, if the Token is XML, the TokenHandler will validate the XML. It has to do that anyway to avoid signature insertion attacks. If you are in doubt because you have prove that it actually allows invalid XML through, then you should report a bug.

The first element of the assertion has an attribute that indicates the version of the protocol/XML-schema

paullem
  • 1,261
  • 7
  • 8