/// <summary> /// "When validating a signed response message, the sender Access Point SHOULD check /// that the certificate in the response matches the metadata received from the Service /// Metadata Publisher. This is done by comparing the subject common name in the /// certificate to the value stated in the metadata. This check ensures that only the /// legitimate Access Point stated in the service metadata will be able to produce /// correct responses." /// </summary> /// <param name="certificate">The certificate to be checked.</param> private void ValidateAgainstExpectedCertificate(X509Certificate2 certificate) { // The same validator might also be used for communication with a START client. In // this case, no identifier is expected, and this validation step is skipped: if (ExpectedCertificate == null) { return; } if (!ExpectedCertificate.Equals(certificate)) { throw new SecurityTokenValidationException("Validation failed. Certificate in the response does not match the metadata from the SMP."); } }