I’m just curious how the SAMLAssertionSignature.Verify works when you only pass in the assertion xmlelement. Is that method/property list combo only intended to be used after a “.Generate”? Seems to be a static object, so is it just still holding the X509Certificate object?
Most XML signatures embed the X.509 certificate in the signature.
If you don’t pass an X.509 certificate to SAMLAssertion.Verify, it will use the embedded certificate if any.
In production code, we don’t recommend doing this. You are better to supply the X.509 certificate as you know this certificate can be trusted.