The WSFed authentication process requires that the thumbprint of the signing certificate of the wresult XML parameter in the callback HTTP request is configured and stored in advance. There is no way to opt out of certificate validation.
In our case, the signing authority replaces their certificate ever once in a while. The lifetime of a cert seems to be on the order of 3 years. When the cert is replaced, the auth in our system breaks. There is an organizational boundary between us, the consumers, and the auth provider, so making them co-ordinate their certificate rotation with us is next to impossible.
The WSFed authentication process requires that the thumbprint of the signing certificate of the
wresultXML parameter in the callback HTTP request is configured and stored in advance. There is no way to opt out of certificate validation.In our case, the signing authority replaces their certificate ever once in a while. The lifetime of a cert seems to be on the order of 3 years. When the cert is replaced, the auth in our system breaks. There is an organizational boundary between us, the consumers, and the auth provider, so making them co-ordinate their certificate rotation with us is next to impossible.
The thumbprint check should be optional.