/// <summary>
/// "When validating a signed response message, the sender Access Point SHOULD check
/// that the certificate in the response matches the metadata received from the Service
/// Metadata Publisher. This is done by comparing the subject common name in the
/// certificate to the value stated in the metadata. This check ensures that only the
/// legitimate Access Point stated in the service metadata will be able to produce
/// correct responses."
/// </summary>
/// <param name="certificate">The certificate to be checked.</param>
private void ValidateAgainstExpectedCertificate(X509Certificate2 certificate)
{
// The same validator might also be used for communication with a START client. In
// this case, no identifier is expected, and this validation step is skipped:
if (ExpectedCertificate == null)
{
return;
}
if (!ExpectedCertificate.Equals(certificate))
{
throw new SecurityTokenValidationException("Validation failed. Certificate in the response does not match the metadata from the SMP.");
}
}
