jkmu · philter87 · Mar 4, 2025
diff --git a/Source/Saml2.Authentication.Core/Providers/ConfigurationProvider.cs b/Source/Saml2.Authentication.Core/Providers/ConfigurationProvider.cs
@@ -1,4 +1,7 @@
-namespace Saml2.Authentication.Core.Providers
+using System.Collections.Generic;
+using System.Security.Cryptography;
+
+namespace Saml2.Authentication.Core.Providers
 {
     using System;
     using System.IO;
@@ -56,6 +59,16 @@ public X509Certificate2 ServiceProviderSigningCertificate()
             return certificate;
         }
 
+        public List<AsymmetricAlgorithm> GetTrustedKeys()
+        {
+            var trustedKeys = _configuration.IdentityProviderConfiguration
+                .Select(idp => LoadCertificate(idp.Certificate))
+                .Select(c => c.PublicKey.Key)
+                .ToList();
+            trustedKeys.Add(ServiceProviderSigningCertificate().PublicKey.Key);
+            return trustedKeys;
+        }
+
         private X509Certificate2 LoadCertificate(Certificate certificateDetails) =>
             certificateDetails.Thumbprint.IsNotNullOrEmpty()
                 ? FindCertificate(

diff --git a/Source/Saml2.Authentication.Core/Providers/IConfigurationProvider.cs b/Source/Saml2.Authentication.Core/Providers/IConfigurationProvider.cs
@@ -1,4 +1,7 @@
-namespace Saml2.Authentication.Core.Providers
+using System.Collections.Generic;
+using System.Security.Cryptography;
+
+namespace Saml2.Authentication.Core.Providers
 {
     using System.Security.Cryptography.X509Certificates;
     using Configuration;
@@ -12,5 +15,7 @@ public interface IConfigurationProvider
         X509Certificate2 GetIdentityProviderSigningCertificate(string providerName);
 
         X509Certificate2 ServiceProviderSigningCertificate();
+
+        List<AsymmetricAlgorithm> GetTrustedKeys();
     }
 }
diff --git a/Source/Saml2.Authentication.Core/Validation/SamlValidator.cs b/Source/Saml2.Authentication.Core/Validation/SamlValidator.cs
@@ -100,13 +100,13 @@ public Saml2Assertion GetValidatedAssertion(XmlElement element)
             var key = signingCertificate.PublicKey.Key;
             var audience = ServiceProviderConfiguration.EntityId;
 
-            var keys = new List<AsymmetricAlgorithm> { key };
-            var assertion = new Saml2Assertion(assertionElement, keys, AssertionProfile.Core, new List<string> { audience }, false);
+            var trustedKeys = _configurationProvider.GetTrustedKeys();
+            var assertion = new Saml2Assertion(assertionElement, trustedKeys, AssertionProfile.Core, new List<string> { audience }, false);
 
             if (!ServiceProviderConfiguration.OmitAssertionSignatureCheck)
             {
                 // TODO: This is checked automatically if auto-validation is on
-                if (!assertion.CheckSignature(keys))
+                if (!assertion.CheckSignature(trustedKeys))
                 {
                     throw new Saml2Exception("Invalid signature in assertion");
                 }