2

As a Service Provider we are using the package "ITfoxtec Identity Saml2" for handling SAML2.0. We have two integrations using AzureAD as IDP. Both have an issue on handling the LogoutResponse from Azure. This exception happens:

System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=Microsoft Azure Federated SSO Certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Only way of avoiding this issue is to set

Saml2Configuration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;

But as I understand, this will deactivate all certificate validation, also when handling the AuthnRequest.

Any idea of how to circumvent this issue?

Munk
  • 321
  • 2
  • 11

1 Answers1

2

It is probably ok to deactivate the certificate change validation. The validation only checke if the certificate has a chain known for the relying party. Meaning that the root certificate has to be known on the relying party service / server.

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    So you are saying that even if I set CertificateValidationMode = None, signature will still be validated up against the IDP certificate? CertificateValidationMode only ensures if certificate can be trusted? – Munk Dec 15 '21 at 07:28
  • Yes correct. The ITfoxtec Identity Saml2 component always validate the signature with certificate. – Anders Revsgaard Dec 16 '21 at 09:33