Visual Studio Identity Support Works with .Net 4.5 Only

יום רביעי, נובמבר 21, 2012

Visual Studio has an Identity and Access tool extension which enables simple integration of claim based identity authentication into a web project (WCF and ASP.Net) It turns out that the tool depends on Windows Identity Framework (WIF) 4.5 which was integrated into the .Net framework and is not compatible with WIF 4.0. For .Net 4.5 only applications you will see the following when you right click the project. “Enable Windows Azure Authentication” integrate your project with Windows Azure Active Directory (WAAD).  “Identity and Access” integrate your project with Windows Azure Access Control Service (ACS)...
tags: , , ,
2 comments

Discover Identity Providers from ACS

יום רביעי, ספטמבר 19, 2012

A customer asked me how to dynamically discover the identity providers of a certain namespace in ACS. The request is simple: Let’s assume we have an application (RP) in http:\\localhost\myApp If will send the following request to acs: https://xxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=http%3a%2f%2flocalhost%2fmyapp%2f&version=1.0 we will get the following json in the response },  {"Name":"Google","LoginUrl":"https://www.google.com/accounts/o8/ud?openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.mode=checkid_setup&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.realm=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid&openid.return_to=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid%3fcontext%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QmcHJvdmlkZXI9R29vZ2xl0&openid.ns.ax=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ax.mode=fetch_request&openid.ax.required=email%2cfullname%2cfirstname%2clastname&openid.ax.type.email=http%3a%2f%2faxschema.org%2fcontact%2femail&openid.ax.type.fullname=http%3a%2f%2faxschema.org%2fnamePerson&openid.ax.type.firstname=http%3a%2f%2faxschema.org%2fnamePerson%2ffirst&openid.ax.type.lastname=http%3a%2f%2faxschema.org%2fnamePerson%2flast","LogoutUrl":"","ImageUrl":"","EmailAddressSuffixes":},{"Name":"Yahoo!","LoginUrl":"https://open.login.yahooapis.com/openid/op/auth?openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.mode=checkid_setup&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.realm=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid&openid.return_to=https%3a%2f%2fxxx.accesscontrol.windows.net%3a443%2fv2%2fopenid%3fcontext%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QmcHJvdmlkZXI9WWFob28h0&openid.ns.ax=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ax.mode=fetch_request&openid.ax.required=email%2cfullname%2cfirstname%2clastname&openid.ax.type.email=http%3a%2f%2faxschema.org%2fcontact%2femail&openid.ax.type.fullname=http%3a%2f%2faxschema.org%2fnamePerson&openid.ax.type.firstname=http%3a%2f%2faxschema.org%2fnamePerson%2ffirst&openid.ax.type.lastname=http%3a%2f%2faxschema.org%2fnamePerson%2flast","LogoutUrl":"","ImageUrl":"","EmailAddressSuffixes":}] Now we can use (http get) the LoginUrl of each provider which will send us directly to its login page. If we call ACS with: https://xxx.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%2fmyapp%2f We will get the good...
tags: ,
4 comments

New tools for Federation in windows 8 and Framework 4.5

If you will try to install WIF SDK on a windows 8 with visual studio 2012 and then create a simple claim based application, you will see that “Add STS reference” is gone. So How do we use federation in visual studio 2012 and .net 4.5? Well it turns out that WIF as we know it is deprecated because it was integrated in the core of .Net 4.5 and the SDK is now provided as a set of powerful tools integrated into Visual Studio. The tools includes built-in local sts for testing, Great integration with...
no comments

Running WIF Relying parties in Windows Azure

יום שני, יולי 23, 2012

When running in a multi server environment like windows azure it is required to make sure the cookies generated by WIF are encrypted with the same pair of keys so all servers can open them. Encrypt cookies using RSA In Windows Azure, the default cookie encryption mechanism (which uses DPAPI) is not appropriate because each instance has a different key. This would mean that a cookie created by one web role instance would not be readable by another web role instance. This could lead to service failures effectively causing denial of the service. To solve this problem...
tags: , ,
2 comments

Chrome Support for ACS with ADFS 2.0 Identity Provider

יום שני, יולי 16, 2012

When using Windows Azure's Access Control Service (ACS) to perform user authentication against an Active Directory Federated Service (ADFS) endpoint everything works well when using IE However, when using Chrome or Firefox the site continually prompts for credentials over and over again. Why? Turns out, the ADFS website that performs authentication of users (this website gets setup in IIS during the installation of ADFS v2.0) is by default configured for Integrated Windows Authentication (IWA). IWA is configured in IIS to use Extended Protection for Authentication (EPA) and therein lies the problem. Apparently, most other browsers don't...
tags: , ,
2 comments

ACS and OAuth 2.0

יום שלישי, יולי 10, 2012

I was asked by a customer about the OAuth 2.0 endpoint in the ACS management portal. Well ACS can participate in the OAuth Dance. Its role is to produce authorization code for the user's resource and then produce the actual access token that will enable a client application to access the user's resources at the resource server. There is a demo provided by the ACS team demonstrating OAuth delegation with ACS. I found a very good blog post explaining the OAuth flow of the sample in great details. I recommend to view the following 10m...
tags: , ,
no comments

Securing AppFabric Service bus with ACS

יום רביעי, נובמבר 23, 2011

I was working with a customer that wanted to use AppFabric Topics to push notifications to clients. as We all know anyone who wants to listen or send messages using service bus has to authenticate first. Traditionally authentication to the service bus was done by presenting a secret key before a connection was established.It is reasonable to put the secret key in a software package deployed on a server (Some can argue with that and say it is a security violation) but providing the key to numerous clients? This is a true security breach. So How can we...
55 comments

Convert SAML token to SWT token using ACS

יום רביעי, נובמבר 16, 2011

In Claim based applications we use token to provide the application (Relying party) with details (a collection of claims) about the the authenticated identity. In ASP.net web sites and WCF SOAP services SAML tokens are used as a container for the claims. SAML is a standard that describe how token and claims are constructed and how they are cryptographically protected using digital signature and encryption. SAML tokens are powerful yet they are large. The size of the token is not a real issue in ASP.Net web sites as well as in SOAP WCF services but for REST web services...
no comments

ACS Live Demos

יום חמישי, מאי 12, 2011

My friend Alik Levin who works in the identity group pointed me to a list videos containing detailed demos of the Access Control Service. WCF web service that uses ACS with WIF. Securing WCF Services with ACS Web site that uses ACS (with and without WIF) Securing Web Applications with ACS Delegation with ACS. Code Sample: OAuth 2.0 Delegation Integration with ADFS 2.0 How To: Configure...
no comments