How to disable Subject Key Identifier in SecurityTokenResolver

Question

I am processing a SAML2 token in WIF which contains an EncryptedAssertion. The mark-up does NOT contain a "Subject Identifier Key" Extension property and as such WIF SecurityTokenHandler fails as it tries to get the correct X509 certificate from the LocalMachineStore/Personal.

The issue is clearly that the certificate used to encrypt the token does not contain the SKI Extension and of course the token generation code (Java) does not do seem to require it.

The solution to this is found in Mieszko Matkowski's answer here (SignatureVerificationFailedException (ID4037) while reading a SAML2 token using Saml2SecurityTokenHandler)but to avoid having to create a custom SecurityTokenResolver and also to avoid having to modify the generation code is there a way I can get WIF SecuityTokenResolver to NOT check the received Token for the SKI but simply use the local store certificate directly to decrypt the token?

Answer 1

You definitely need a custom key resolver for custom key resolution ;) Just write one that does exactly what you need.

---

Dominick Baier | thinktecture | | @leastprivilege http://www.leastprivilege.com