Poor Microsoft OWIN ws-federation security model


image

if you do give a metadata address, it doesn’t bother confirming whether the certificate used to sign the metadata is valid (ever).

Seems poorly thought out – since lots of folks are NOT going to know to write their own validator.

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in owin. Bookmark the permalink.