SanValidatingIssuerNameRegistry 1.0.0

dotnet add package SanValidatingIssuerNameRegistry --version 1.0.0                
NuGet\Install-Package SanValidatingIssuerNameRegistry -Version 1.0.0                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="SanValidatingIssuerNameRegistry" Version="1.0.0" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SanValidatingIssuerNameRegistry --version 1.0.0                
#r "nuget: SanValidatingIssuerNameRegistry, 1.0.0"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install SanValidatingIssuerNameRegistry as a Cake Addin
#addin nuget:?package=SanValidatingIssuerNameRegistry&version=1.0.0

// Install SanValidatingIssuerNameRegistry as a Cake Tool
#tool nuget:?package=SanValidatingIssuerNameRegistry&version=1.0.0                


SanValidatingIssuerNameRegistry is an IssuerNameRegistry implementation for Windows Identity Foundation which validates the signing certificate against the issuer name using the subject alternative name of the certificate.

GitHub Nuget GitHub issues

Getting Started


SanValidatingIssuerNameRegistry can be installed on an ASP.NET project utilizing Windows Identity Foundation by installing the nuget package. Alternatively, it can be installed on an already deployed ASP.NET application using Windows Identity Framework by copying the appropriate assembly file to the bin folder.


The simplest way to configure SanValidatingIssuerNameRegistry is by adding it as the the issuerNameRegistry in the web.config file.

    <issuerNameRegistry type="SanValidatingIssuerNameRegistry.SanValidatingIssuerNameRegistry, SanValidatingIssuerNameRegistry">
      <add issuerUri="http://sts.corp.example/adfs/services/trust" allowUriValidation="false" allowIpValidation="false" />

In addition to validating the issuer name against a DNS subject alternative name, allowUriValidation can be set to true to allow validating against a URI subject alternative name, and allowIpValidation to true to allow validating against an IP address subject alternative name. These values are false by default due to potential security concerns, and should only be enabled if necessary.

Certificate Validation

SanValidatingIssuerNameRegistry will only validate that subject alternative name of the certificate matches the issuer name as a URI. It does not validate the certificate itself. Given the simplicity of creating a fraudulent certificate with a matching subject alternative name, it is highly recommended to validate the certificate itself. This can be done using the certificateValidation element, setting the certificateValidationMode attribute to either ChainTrust, PeerTrust, or ChainOrPeerTrust. If none of these validation modes will work with the given signing certificate, a custom X509CertificateValidator should be used.

Product Compatible and additional computed target framework versions.
.NET Framework net45 is compatible.  net451 was computed.  net452 was computed.  net46 was computed.  net461 is compatible.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 is compatible.  net48 is compatible.  net481 was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
  • .NETFramework 4.5

    • No dependencies.
  • .NETFramework 4.6.1

    • No dependencies.
  • .NETFramework 4.7.2

    • No dependencies.
  • .NETFramework 4.8

    • No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.0.0 275 3/24/2022