Index of the question answered in this article
Following are the questions and the answers.
do I configure a WIF relying party application using a configuration file?
There is a new topic on MSDN that completely describes the WIF Configuration file, its various components and usage examples.
I ran the web app it errored out as follows, how do I fix this?
ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd').
I created a relying party in ACS and used SWT as the token format. Then I used "Add STS reference..." to my web app and pointed it to https://MyApp.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml.
If I switched to use SAML 2.0 token format, it works just fine.
A: WIF does not include a security token handler for SWT. You can find a sample here: http://zamd.net/2010/07/31/using-wif-for-securing-rest-service/
I wouldn't put too many bets on SWT - seems it will soon be replaced by JWT (of course the good thing about WIF is, that these details are abstracted away from an application point of view).
bootstrap tokens, from the CurrentPrinciples IClaimsPrincle identities, encrypted? In particular if the original token was encrypted.
A: No - the session token (which holds the bootstrap token) gets generated from the IClaimsPrincipal - that's after decryption.
But the session token itself is encrypted by default.
View article ...
WIF builds upon System.IdentityModel. You typically use the Microsoft.* classes like Claim and ClaimTypes etc.
I know this is sometimes confusing - but whenever you have a choice between System.* and Microsoft.* - choose Microsoft.*
View article ...
can I control the type of token my STS issues when it is invoked from an active or passive client?
A: The key type is part of the RST; either set it manually when using WSTrustChannelFactory, or set it on the binding when you use the automatic token request
facility in WCF. The setting is - issuedKeyType=”SymmetricKey”
Q: What event trigger should I use to signal the time for population of session variables?
A: Use (Post)AcquireRequestState. This is the first event were session state is available
Q: Is there a way for my application to query a third party STS to get a list of all users that are at least 21 years or older?
A: The short answer is no, not really.
Storage of identity information as well as management of that data should belong to the third party. Therefore, the third party needs to provide an external way of providing that information through a report or some other
The idea is that the user store is theoretically a black box, and the only information you can get out of it is the information that the user is willing to give you (via the token) and only
when the user is willing to give it to you.
Also see the discussion under the section,
How Can You Get a List of All Possible Users and All Possible Claims.
http://msdn.microsoft.com/en-us/library/ff359108.aspx for more
Q: How do I configure WIF’s behavior so a user can navigate to a given page, then click ‘login’ to go to an authentication page?
A: You can use the <authorization /> element in web.config
<allow users="*" />
Q: What security consideration should I take when developing and deploying claims aware applications?
A: Review the following page for security consideration when developing and deploying claims aware applications -
Q: Does WIF support OAuth 2.0?
A: Yes, consider reviewing WIF OAuth Extensions Sample published here - https://connect.microsoft.com/site1168/Downloads
Q: How to configure token replay detection in configuration file?
A: Set true for the enable attribute of the
tokenReplayDetection element in configuration file
What Code Samples are available for WIF?
A: Review the list of code samples here (scroll down to Code Samples bullet) - http://blogs.msdn.com/b/alikl/archive/2010/10/21/windows-identity-foundation-wif-sdk-overhaul.aspx
Q: Can I configure SSO with Active Directory for Web Application deployed to Windows Azure?
A: Yes, review the following whitepaper that walks you through the exact steps how to accomplish just that - Single Sign-On from Active Directory
to a Windows Azure Application Whitepaper
Key not valid for use in specified state
A: The default cookie encryption mechanism uses DPAPI. This would mean that a cookie created by one server (or web role instance in case of Azure) would not be readable by another server or web role instance. To solve this problem you should
use a cookie encryption mechanism that uses a key shared by all the web role instances or configure your load balancer for sticky session (not available currently for Azure). The following code is taken from patterns &practices guide
Moving Applications to the Cloud that shows how to replace the default
SessionSecurityHandler object and configure it to use the
RsaEncryptionCookieTransform class in Globala.asax:
private void OnServiceConfigurationCreated(object sender,
List<CookieTransform> sessionTransforms =
SessionSecurityTokenHandler sessionHandler =
Q: I am getting exception:
An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration
Parser Error Message:
Unrecognized attribute 'targetFramework'. Note that attribute names are case-sensitive.
Line 27: during development.
Line 28: -->
Line 29: <compilation debug="true" targetFramework="4.0">
Line 30: <assemblies>
Line 31: <add assembly="Microsoft.IdentityModel, Version=220.127.116.11, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
A: .NET 4.0 required. Install or configure your server to use ASP.NET 4.0.To configure your server for using ASP.NET run the following command in command prompt. Make sure the Framework version is 4.0:
Make sure the AppPool runs under .Net 4.0, located in AppPools Advanced Settings under General section:
Note: Changing AppPool configuration may break other applications running in this AppPool. Consider creating separate AppPool for the application with the new configurations applied.
A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
Q: What are the options for implementing authorization in claims aware application?
A: You can implement Claims Based Access Control (CBAC) which gives you freedom of implementing authorization decision based on claims in the token extending ClaimsAuthorizationManager. Here is example how -
How To Implement Claims Based Authorization For ASP.NET Application.
For traditional Role Based Access Control (RBAC) which is suitable for migration scenarios consider reviewing these simple walkthroughs:
Q: I am receiving exception with the following message:
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case
when the thread is impersonating.
A: Configure IIS to load user profile. To configure IIS to load user profile follow these steps:
Q: I am getting the following error: I updated with new stsServer certificate and changed the Web.config to point to new trusted certificate.
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry.
To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
A: If you copied the thumbprint from MMC snap-in into config, there is a known problem with copying from the certificate properties window into
the config file and getting an extra non-printable character in the text string, which causes the thumbprint match to fail.
Procedure for finding thumbprint taken from this page -
To find a thumbprint
1. On the taskbar, click Start, and then type mmc in the search box.
2. Click mmc. A window appears that contains the Microsoft Management Console application.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
5. In the Certificates snap-in dialog box, select Computer account, and then click Next.
6. In the Select Computer dialog box, select Local computer, click Finish, and then click OK.
7. In the left pane, a tree view of all the certificates on your computer appears. If necessary, expand the tree. Expand the Personal folder. Expand the Certificates folder.
8. Click the certificate whose thumbprint you want.
9. In the Certificate Information dialog box, click the Details tab, and then scroll down until you see the thumbprint.
10. Copy then paste into VS editor (web.config)
11. Position the cursor in the beginning of the thumbprint by pressing on Home button.
12. Press Delete button to remove leading non-printable character.
Note – Try to avoid the situation in the first place by not selecting the blank before the 9f at the start.
If issues arise, you should be able to see it just by typing the web.config in a command window
Q: I am on a customer site and we have the following issue installing the WIF 4.0 SDK.
When installing the WIF 4.0 SDK we get the following Error: 2738
Searching (search engine of choice) for the following “msiexec.exe error 2738” to
2738 - Could not access VBScript run time for custom action .
Q: I am getting the following exception -
An error occurred during processing of the request.
Unknown server tag 'adfs:InformationCardControl'.
Additional data: 6941c49e-1098-471b-b13a-b6718c6b8bfc
A: Remove RC version of ADFS v2 and install RTW from - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en
Q: How do I get an email address claim from ACS v2?
A: You cannot obtain user's Windows Live email address from ACS. This is actually a security policy imposed by Live ID
Q: My application uses WIF and requires that it be installed as a prerequisite. Can I distribute the runtime files with my application?
A: Absolutely. There is now an additional EULA for the WIF SDK
that allows developers to redistribute the WIF runtime with their application when they develop an application using WIF.
See the WIF SDK supplemental EULA in the list of
possible downloads (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504).