Closed P-39-Airacobra closed 2 years ago
Yes, the way Metadata overwrites configured values is not optimal. This is something that will be addressed in the new configuration model for versions 3.x.
For existing versions 2.x you can use the AuthenticateRequestSigningBehavior
flag to control how the SP behaves when WantAuthnRequestsSigned
is not present in Metadata.
Symptoms
When the WantAuthnRequestsSigned property of the IdentityProvider class is configured in a configuration file by setting
wantAuthnRequestsSigned = "true"
and, at the same time,loadMedata = "true"
then the setting is overridden when metadata is loaded.And what's worse, when the
WantAuthnRequestsSigned
attribute is missing in the metadata the property is always set to false, regardless of the setting of thewantAuthnRequestsSigned
in the config file.Expected behaviour
Expected behaviour should be that setting
wantAuthnRequestsSigned
in the config file should always take precedence over a value loaded from the metadata.Suggested fix
In the ReadMetadataIdpDescriptor() method of the IdentityProvider class (file IndentityProvider.cs, line 443), replace:
with: