Hello, I'm repeating here a question I sent via email a few days ago when I didn't have access to my account (the forgot password emails were quarantined by Google's spam filter). One of our developers in our team is responsible of coding the SAML integration with your component. Here's his question. I would like to have an answer before making the decision to renew the license. Thanks:
We are having some issues getting to a confident place with our SAML validation.
Right now we are calling Validate() (https://doc.componentpro.com/ComponentPro-Saml/ComponentPro-Saml-SignableSamlObject-Validate()). We have found through our tests that sometimes when we make some minor changes to the certificate and the thumbprint is changed that Validate() still passes.
I have attached an example of what we are doing in code.
Our questions are:
What exactly is Validate() doing?
With just using Validate(), can we trust this to make sure the incoming request has been signed by the correct certificate? Is there more we should be doing?
In our example we have been playing with as checking the thumbprint but we are finding it a bit difficult to parse it out. If you agree it makes sense we should be checking the thumbprint, is there a better way of doing this?