XMLSign verify from the cert inside the xml file

Question

My code receives the saml response in xml format. I need to verify the signature to confirm that response is not tampered, and I also need to confirm that this is coming from a trusted source. (in a settings file I have cert thumbprint and issuername for the trust certs). I am using componentspace tools where I can call GetCertificate() to get the X509Certificate2 from the xml file.

To verify the signed xml, do I need to install this cert to the cert store? Is it possible to verify an xml signed doc with the cert you construct from the xml itself?

Answer 1

I certainly would not trust the veracity of a signed message based solely upon the cert included in the signed message. In theory, someone could intercept the message and create a new message with a new singing cert and your SP would never know. It is considered best practice to have the IDP send you their signing cert out-of-band and you should securely store it locally. That way, when you receive the signed message, you can check that the signing cert included in the message matches the locally store version your IDP gave you as well as validate that the message signature is valid using the same certificate.