ITfoxtec SAML 2.0 - History

The ITfoxtec SAML 2.0 and MVC version history.


XML external entity (XXE) injection vulnerability solved.


The Session Security Token validation period properties ValidFrom and ValidTo is set to the values provided in the SAML 2.0 Security Token. If no lifetime is provided in the CreateSession method.


CLS Compliant attribute added. The component is compliant with the Common Language Specification (CLS).


Only the ITfoxtec.Saml2.Mvc package updated to version 1.2.1. The ITfoxtec.Saml2 package is unchanged and still version 1.2.0.

MVC reference updated from Microsoft.Mvc version 4.0.0 to NuGet Microsoft.AspNet.Mvc version 5.2.2.


Certificate validation and detect replayed tokens is configurable. Remember to add the certificatevalidation element into the web.config file:

            <identityConfiguration saveBootstrapContext="false">
                <audienceUris mode="Always">
                    <add value="" />
                <certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />

The two component dll's is signed.


Supports SAML 2.0 Response with an Assertion element that is either encrypted or not encrypted.

Resolved bug regarding reading the Issuer in a SAML 2.0 Response.

Braking change in Metadata: Create EntityDescriptor add the entityId as a EndpointReference instead of a string.


Resolves assertion expiration validation error.


Adds more SAML 2.0 standard features and support for the Danish OIOSAML 2.0 profile.


Important basic parts of the SAML-P standard and some optional features. Message signing and validation is supported.

Supported bindings:

Supported request / response: