0

I have successfully integrated ADFS as an external identity provider for Identity Server.

Now I want to make sure that the response I have is really from my ADFS, so I can prevent someone intercepting the request and sending back an "success" response for an invalid user. My understanding is that Identity Server only makes sure the response is valid, but cannot check that it's from the right server.

What event would I use to check that response is really valid? My guess is that I have to handle some event and check for that the certificate is the one I have setup in ADFS.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Albert
  • 1,015
  • 2
  • 10
  • 28
  • Found this https://stackoverflow.com/questions/33236812/how-can-i-validate-this-adfs-token which mention handling IssuerSigningKeyResolver event. Is that the right approach? – Albert Jun 22 '17 at 13:35
  • I think that sounds right, I've played with IssuerSigningKeyResolver but could never get it quite right. Keep in mind that the signing cert from adfs is on it's metadata endpoint that you are already using to define the ws-fed external idp. I was hoping that that would make it easier, but I can't seem to find anything that points this way, so installing the adfs's .cer locally is probably the easiest. – stombeur Jun 27 '17 at 12:28

0 Answers0