Poor Microsoft OWIN ws-federation security model


if you do give a metadata address, it doesn’t bother confirming whether the certificate used to sign the metadata is valid (ever).

Seems poorly thought out – since lots of folks are NOT going to know to write their own validator.


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in owin. Bookmark the permalink.