NServiceBus PubSub Is Static and Does Not Support Publisher Side Filtering

יום חמישי, ספטמבר 12, 2013

NServiceBus has a simple Pub\Sub infrustructure. I use the word simple because it is simple to use. In NServiceBus subscriptions are defined statically. The NserviceBus scans your code and decides that A has to subscribe to B for messages of type M. If a A (Billing) has a class that handles message of type M (OrderAcccepted) and those messages are configured to be under the responsibility B (OrderProcessing), NServiceBus will initiate a subscribe request from A to B for messages M. (see the following example) public partial class...
no comments

Bug in ADFS. OAuth access token can be requested in UTC time zone only

יום שני, ספטמבר 9, 2013

My friend Assaf Israel showed me a bug in the new ADFS version in Windows Server 2012 Preview. When calling ADFS endpoint /oauth/authorize to get an authorization token the server will call the method BeginAdd in the class Microsoft.IdentityServer.Server.ArtifactResolutionService.ArtifactService to creates an artifact with an authorization token and store it in the database. The server will set the expiration date to be UTC time + 5 min. if (DateTime.Compare(artifact.Expire,DateTime.MinValue) == 0) artifact.Expire = DateTime.UtcNow.AddSeconds((double).artifactService.LifetimeInSeconds); When calling /oauth/authorize to get an...
3 comments

Active Federation with ADFS 2.0 in C#

יום שלישי, אוגוסט 27, 2013

A customer asked me how to establish active federation in C# with two ADFS servers. The scenario is simple: - One ADFS acts as an STS (it authenticate the client) - The  Second ADFS acts as an R-STS and provides a token to the RP (application) using the token created   by the first STS. The code is simple and is based on .Net 4.5 WIF System.IdentityModel In the first step the client authenticate to the STS and get a SAML token:...
tags: , ,
no comments

Passive Federation Client

יום שני, יוני 3, 2013

As we all know it is simple to call a federated web site authenticated by AD FS 2.0 or any other identity provider using passive federation. The client is a browser that knows nothing about federation. All the browser knows is to send http requests and to submit html forms. It would be interesting to write a small library that will mimic the browser behavior and allow applications to call web sites using passive federation. such web sites can implement RESTful web services or any other http based API. Currently applications use ACTIVE federation which means they have...
no comments

How to Analyze SAML Traffic

יום ראשון, יוני 2, 2013

To learn and debug ADFS 2.0 and the SAML protocol it is important to look at the traffic running between the client, STS and the RP (web application). When using AD FS 2.0 the traffic must be sent on a secure channel (SSL), Fortunately Fiddler can decrypt the content and present the actual traffic on the wire yet when activating fiddler and with SSL decryption (as shown here) you will be continuously prompted for credentials by the AD FS 2.0 Federation Server. This prompt comes in the form of a HTTP 401 challenge dialog box.   ...
tags: , ,
one comment

The Identity and Access tool was updated

יום שלישי, מאי 7, 2013

I worked on a customer machine and used the identity and access tool to enable Identity Federation. When I looked at the config that was produced by the tool I saw something strange. Instead of the good old configuration: <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <trustedIssuers> <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" /> </trustedIssuers> </issuerNameRegistry> The tool produced the following: <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, ...
tags: ,
3 comments

My Talk in the SDP 2013

יום שני, מאי 6, 2013

Today I spoke about web identities and about Azure data sync. In the web identities talk I spoke about the identity concept and about the open ID, SAML and OAuth standards. In the Azure data sync talk I spoke about the value of sync, the Microsoft synchronization framework (MSF) and the Azure data sync service (which is based on MSF) Tomorrow I will speak about cryptography in .Net and explore different types of encryption algorithms and signing APIs. You can find the slide deck here: Web Idenytities ...
one comment

Subscribe to Windows Azure Using Your Organization ID

יום שני, אפריל 29, 2013

Until recently, you could only sign up for a new Windows Azure subscription using your Microsoft account (LiveID) It means that your administration account is governed by a private user account. This is a major security threat. The account credentials are simple user name and password (which could be easily stolen) No “Multi factor authentication” is possible No policy and management is enforced on the administration identity All this is changing now with Windows Azure Active Directory (WAAD) Now you can Sign-In to...
2 comments

How to Encode a Certificate

יום שני, אפריל 22, 2013

It is common to upload / transfer certificates as base64 strings. A common example is Azure Management API Add Service Certificate. To encode a certificate all you have to do is simply encode the certificate file. var encodedClientCert = Convert.ToBase64String(File.ReadAllBytes("Client.Cer")); To create a certificate out of base64 string is as easy: string str = "base64string representing a certificate"; string psw = "password for certificates with a private key"; var cert = new X509Certificate2(Convert.FromBase64String(str), psw); Hope this helps Manu
tags: ,
no comments

Uploading Large Files to Blob Storage

It you will try to upload a large file (2Mb and larger) to blob storage it is likely that you will get the following timeout exception: “StorageServerException : Operation could not be completed within the specified time.” The solution is to do things in parallel. Fortunately blob storage has a simple API for parallel upload. blobClient.ParallelOperationThreadCount = 20; To use it it is required to open the max number of outgoing connection using ServicePointManager.DefaultConnectionLimit The following method will demonstrate that: Code Snippet public static void LoadLargeBlob(string storageAccountName, string storageAccountKey)         {             ServicePointManager.DefaultConnectionLimit...
tags: ,
no comments