Auth0 – An Exciting SSO Infrastructure

יום שני, ספטמבר 30, 2013

When we think about SSO we have to think about simplicity, multi-platform integration, deployment scenarios (cloud / on-premises) and standard compliance. Unfortunately Microsoft solutions (ADFS, WAAD, ACS) are focused on SAML 1.1 and assume that applications has the ability to parse and validate such tokens. (WAAD and ADFS has OAuth previews which are currently not stable, ACS can use WRAP OAuth which not relevant) This assumption is problematic in the mobile era. Web Platforms today do not include strong XML stacks that are required to handle SAML tokens and so applications and especially mobile applications cannot handle...
no comments

Bug in ADFS. OAuth access token can be requested in UTC time zone only

יום שני, ספטמבר 9, 2013

My friend Assaf Israel showed me a bug in the new ADFS version in Windows Server 2012 Preview. When calling ADFS endpoint /oauth/authorize to get an authorization token the server will call the method BeginAdd in the class Microsoft.IdentityServer.Server.ArtifactResolutionService.ArtifactService to creates an artifact with an authorization token and store it in the database. The server will set the expiration date to be UTC time + 5 min. if (DateTime.Compare(artifact.Expire,DateTime.MinValue) == 0) artifact.Expire = DateTime.UtcNow.AddSeconds((double).artifactService.LifetimeInSeconds); When calling /oauth/authorize to get an...
3 comments

Passive Federation Client

יום שני, יוני 3, 2013

As we all know it is simple to call a federated web site authenticated by AD FS 2.0 or any other identity provider using passive federation. The client is a browser that knows nothing about federation. All the browser knows is to send http requests and to submit html forms. It would be interesting to write a small library that will mimic the browser behavior and allow applications to call web sites using passive federation. such web sites can implement RESTful web services or any other http based API. Currently applications use ACTIVE federation which means they have...
no comments

My Talk in the SDP 2013

יום שני, מאי 6, 2013

Today I spoke about web identities and about Azure data sync. In the web identities talk I spoke about the identity concept and about the open ID, SAML and OAuth standards. In the Azure data sync talk I spoke about the value of sync, the Microsoft synchronization framework (MSF) and the Azure data sync service (which is based on MSF) Tomorrow I will speak about cryptography in .Net and explore different types of encryption algorithms and signing APIs. You can find the slide deck here: Web Idenytities ...
one comment

Subscribe to Windows Azure Using Your Organization ID

יום שני, אפריל 29, 2013

Until recently, you could only sign up for a new Windows Azure subscription using your Microsoft account (LiveID) It means that your administration account is governed by a private user account. This is a major security threat. The account credentials are simple user name and password (which could be easily stolen) No “Multi factor authentication” is possible No policy and management is enforced on the administration identity All this is changing now with Windows Azure Active Directory (WAAD) Now you can Sign-In to...
2 comments

How to Encode a Certificate

יום שני, אפריל 22, 2013

It is common to upload / transfer certificates as base64 strings. A common example is Azure Management API Add Service Certificate. To encode a certificate all you have to do is simply encode the certificate file. var encodedClientCert = Convert.ToBase64String(File.ReadAllBytes("Client.Cer")); To create a certificate out of base64 string is as easy: string str = "base64string representing a certificate"; string psw = "password for certificates with a private key"; var cert = new X509Certificate2(Convert.FromBase64String(str), psw); Hope this helps Manu
tags: ,
no comments

How To Find a Certificate in the Certificate Store

יום ראשון, אפריל 21, 2013

I wrote a nice helper class that helps me find certificates installed on my machine. Here is the code: Code Snippet public static class CertificateHelper     {         public static X509Certificate2 FindCertificateByThumbprint(string certificateThumbprint)         {             var res = FindCertificateByThumbprint(certificateThumbprint, new X509Store(StoreName.My, StoreLocation.CurrentUser)) ??                       FindCertificateByThumbprint(certificateThumbprint, new X509Store(StoreName.My, StoreLocation.LocalMachine));               if (res == null)                 throw new Exception(string.Format("No certificate found with the thumbprint {0} ", certificateThumbprint));               return res;         }             public static X509Certificate2 FindCertificateByName(string subjectName)         {             var res = FindCertificateByName(subjectName, new X509Store(StoreName.My, StoreLocation.CurrentUser)) ??                       FindCertificateByName(subjectName, new X509Store(StoreName.My, StoreLocation.LocalMachine));               if (res == null)                 throw new Exception(string.Format("No...
tags: ,
no comments

Visual Studio Identity Support Works with .Net 4.5 Only

יום רביעי, נובמבר 21, 2012

Visual Studio has an Identity and Access tool extension which enables simple integration of claim based identity authentication into a web project (WCF and ASP.Net) It turns out that the tool depends on Windows Identity Framework (WIF) 4.5 which was integrated into the .Net framework and is not compatible with WIF 4.0. For .Net 4.5 only applications you will see the following when you right click the project. “Enable Windows Azure Authentication” integrate your project with Windows Azure Active Directory (WAAD).  “Identity and Access” integrate your project with Windows Azure Access Control Service (ACS)...
tags: , , ,
2 comments

Application security auditing and logging

יום שני, מרץ 26, 2012

Auditing is one of the main pillars of security policies. The question is how to do it wisely The infrastructure can log almost everything. For example access to files, registry keys databases etc. The problem is that the infrastructure has no knowledge about the application use cases. It means that the context for these logs is missing. Let us ask what is the purpose of auditing? The trivial reason is to collect information that will be useful in case of a problem, yet how do you know that there is a problem after all? Auditing can...
no comments

Azure ServiceBus Topic using REST API – Part 3

יום ראשון, מרץ 11, 2012

In the last two posts we showed how to use the Azure ServiceBus service bus REST API to send a message to a topic. In this post we will see how to listen on a topic and receive a message. There are two options: 1. Receive a message and delete it from the topic. Receive and Delete public static T ReceiveAndDeleteMessage<T>(string serviceNamespace, string topicName,     string subscriptionName, string token) where T : class {     var address = string.Format("https://{0}.{1}/{2}/subscriptions/{3}/messages/head?timeout=10",         serviceNamespace, sbHostName, topicName, subscriptionName);     WebClient webClient = new WebClient();     webClient.Headers = token;     byte response = webClient.UploadData(address, "DELETE", new byte);    ...
9 comments