SanValidatingIssuerNameRegistry is an IssuerNameRegistry implementation for Windows Identity Foundation which validates the signing certificate against the issuer name using the subject alternative name of the certificate.
SanValidatingIssuerNameRegistry can be installed on an ASP.NET project utilizing Windows Identity Foundation by installing the nuget package. Alternatively, it can be installed on an already deployed ASP.NET application using Windows Identity Framework by copying the appropriate assembly file to the bin folder.
The simplest way to configure SanValidatingIssuerNameRegistry is by adding it as the the issuerNameRegistry in the web.config file.
<system.identityModel>
<identityConfiguration>
<issuerNameRegistry type="SanValidatingIssuerNameRegistry.SanValidatingIssuerNameRegistry, SanValidatingIssuerNameRegistry">
<add issuerUri="http://sts.corp.example/adfs/services/trust" allowUriValidation="false" allowIpValidation="false" />
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>In addition to validating the issuer name against a DNS subject alternative name, allowUriValidation can be set to true to allow validating against a URI subject alternative name, and allowIpValidation to true to allow validating against an IP address subject alternative name. These values are false by default due to potential security concerns, and should only be enabled if necessary.
SanValidatingIssuerNameRegistry will only validate that subject alternative name of the certificate matches the issuer name as a URI. It does not validate the certificate itself. Given the simplicity of creating a fraudulent certificate with a matching subject alternative name, it is highly recommended to validate the certificate itself. This can be done using the certificateValidation element, setting the certificateValidationMode attribute to either ChainTrust, PeerTrust, or ChainOrPeerTrust. If none of these validation modes will work with the given signing certificate, a custom X509CertificateValidator should be used.