Add TokenValidationParametersCreated notification

Sustainsys.Saml2/Configuration/Saml2Notifications.cs

@@ -1,8 +1,10 @@
-using Sustainsys.Saml2.Metadata;
+using Microsoft.IdentityModel.Tokens;
+using Sustainsys.Saml2.Metadata;
 using Sustainsys.Saml2.Saml2P;
 using Sustainsys.Saml2.WebSso;
 using System;
 using System.Collections.Generic;
+using System.Xml;
 
 namespace Sustainsys.Saml2.Configuration
 {
@@ -150,5 +152,23 @@ public class Saml2Notifications
         /// </summary>
         public Func<EntityId, IDictionary<string, string>, IOptions, IdentityProvider> GetIdentityProvider { get; set; }
             = (ei, rd, opt) => opt.IdentityProviders[ei];
+
+        /// <summary>
+        /// Callbacks that allow modifying the validation behavior in potentially unsafe/insecure ways
+        /// </summary>
+        public UnsafeNotifications Unsafe { get; } = new UnsafeNotifications();
+
+        /// <summary>
+        /// Callbacks that allow modification of validation behavior in potentially unsafe/insecure ways
+        /// </summary>
+        public class UnsafeNotifications
+        {
+            /// <summary>
+            /// Notification called when the token handler has populated the
+            /// <see cref="TokenValidationParameters"/>. Modify it's properties to customize
+            /// the generated validation parameters.
+            /// </summary>
+            public Action<TokenValidationParameters, IdentityProvider, XmlElement> TokenValidationParametersCreated { get; set; } = (tvp, idp, xmlElement) => { };
+        }
     }
 }

Sustainsys.Saml2/SAML2P/Saml2Response.cs

@@ -569,6 +569,8 @@ private IEnumerable<ClaimsIdentity> CreateClaims(IOptions options, IdentityProvi
 			validationParameters.ValidateIssuer = false;
             validationParameters.ValidAudience = options.SPOptions.EntityId.Id;
 
+            options.Notifications.Unsafe.TokenValidationParametersCreated(validationParameters, idp, XmlElement);
+
 			var handler = options.SPOptions.Saml2PSecurityTokenHandler;
 
 			foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options))

Tests/Tests.Shared/Saml2P/Saml2ResponseTests.cs

@@ -1495,15 +1495,13 @@ public void Saml2Response_GetClaims_ThrowsOnWrongAudience()
             var subject = Saml2Response.Read(response);
 
             var options = StubFactory.CreateOptions();
-            //options.SPOptions.SystemIdentityModelIdentityConfiguration.AudienceRestriction.AudienceMode
-            //    = AudienceUriMode.Always;
 
             subject.Invoking(s => s.GetClaims(options))
                 .Should().Throw<SecurityTokenInvalidAudienceException>();
 		}
 
 		[TestMethod]
-        public void Saml2Response_GetClaims_IgnoresAudienceIfConfiguredWithNever()
+        public void Saml2Response_GetClaims_IgnoresAudienceUsingTVPNotificationFlag()
         {
             var response =
             @"<?xml version=""1.0"" encoding=""UTF-8""?>
@@ -1535,10 +1533,13 @@ public void Saml2Response_GetClaims_IgnoresAudienceIfConfiguredWithNever()
             var subject = Saml2Response.Read(response);
 
             var options = StubFactory.CreateOptions();
-            //options.SPOptions.SystemIdentityModelIdentityConfiguration
-            //    .AudienceRestriction.AudienceMode = AudienceUriMode.Never;
+            options.Notifications.Unsafe.TokenValidationParametersCreated = (tvp, idp, xml) =>
+            {
+                tvp.ValidateAudience = false;
 
-            Assert.Inconclusive();
+                idp.EntityId.Id.Should().Be("https://idp.example.com");
+                xml.OuterXml.Should().Contain("https://example.com/wrong/audience");
+            };
 
             subject.Invoking(s => s.GetClaims(options)).Should().NotThrow();
         }