A: The default cookie encryption mechanism uses DPAPI. This would mean that a cookie created by one server (or web role instance in case of Azure) would not be readable by another server or web role instance. To solve this problem you should use a cookie encryption mechanism that uses a key shared by all the web role instances or configure your load balancer for sticky session (not available currently for Azure). The following code is taken from patterns &practices guide Moving Applications to the Cloud that shows how to replace the default SessionSecurityHandler object and configure it to use the RsaEncryptionCookieTransform class in Globala.asax:
private void OnServiceConfigurationCreated(object sender,
ServiceConfigurationCreatedEventArgs e)
{
List<CookieTransform> sessionTransforms =
new List<CookieTransform>(
new CookieTransform[]
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(
e.ServiceConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(
e.ServiceConfiguration.ServiceCertificate)
});
SessionSecurityTokenHandler sessionHandler =
new
SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(
sessionHandler);
}
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Unrecognized attribute 'targetFramework'. Note that attribute names are case-sensitive. Source Error:
Line 27: during development.
Line 28: -->
Line 29: <compilation debug="true" targetFramework="4.0">
Line 30: <assemblies>
Line 31: <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
A: .NET 4.0 required. Install or configure your server to use ASP.NET 4.0.To configure your server for using ASP.NET run the following command in command prompt. Make sure the Framework version is 4.0: C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe –i
Make sure the AppPool runs under .Net 4.0, located in AppPools Advanced Settings under General section:
Note: Changing AppPool configuration may break other applications running in this AppPool. Consider creating separate AppPool for the application with the new configurations applied.
A: http://social.technet.microsoft.com/wiki/contents/articles/windows-identity-foundation-wif-a-potentially-dangerous-request-form-value-was-detected-from-the-client-wresult-quot-lt-t-requestsecurityto-quot.aspx
A: You can implement Claims Based Access Control (CBAC) which gives you freedom of implementing authorization decision based on claims in the token extending ClaimsAuthorizationManager. Here is example how - How To Implement Claims Based Authorization For ASP.NET Application. For traditional Role Based Access Control (RBAC) which is suitable for migration scenarios consider reviewing these simple walkthroughs:
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
A: Configure IIS to load user profile. To configure IIS to load user profile follow these steps:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
A: If you copied the thumbprint from MMC snap-in into config, there is a known problem with copying from the certificate properties window into the config file and getting an extra non-printable character in the text string, which causes the thumbprint match to fail.
Procedure for finding thumbprint taken from this page - http://msdn.microsoft.com/en-us/library/ff359102.aspx To find a thumbprint 1. On the taskbar, click Start, and then type mmc in the search box. 2. Click mmc. A window appears that contains the Microsoft Management Console application. 3. On the File menu, click Add/Remove Snap-in. 4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. 5. In the Certificates snap-in dialog box, select Computer account, and then click Next. 6. In the Select Computer dialog box, select Local computer, click Finish, and then click OK. 7. In the left pane, a tree view of all the certificates on your computer appears. If necessary, expand the tree. Expand the Personal folder. Expand the Certificates folder. 8. Click the certificate whose thumbprint you want. 9. In the Certificate Information dialog box, click the Details tab, and then scroll down until you see the thumbprint. 10. Copy then paste into VS editor (web.config) 11. Position the cursor in the beginning of the thumbprint by pressing on Home button. 12. Press Delete button to remove leading non-printable character.
Note – Try to avoid the situation in the first place by not selecting the blank before the 9f at the start. If issues arise, you should be able to see it just by typing the web.config in a command window
When installing the WIF 4.0 SDK we get the following Error: 2738
Searching (search engine of choice) for the following “msiexec.exe error 2738” to http://msdn.microsoft.com/en-us/library/aa372835(VS.85).aspx
2738 - Could not access VBScript run time for custom action [2].
A: If Visual Studio 2010 is not installed, install it. - http://www.microsoft.com/visualstudio/en-us/products/2010-editions
Unknown server tag 'adfs:InformationCardControl'.
Additional dat
A: 6941c49e-1098-471b-b13a-b6718c6b8bfc
A: Remove RC version of ADFS v2 and install RTW from - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en
A: You cannot obtain user's Windows Live email address from ACS. This is actually a security policy imposed by Live ID http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/b2d2e62d-1a93-43bd-9717-a82fd63ed3cd
A: Absolutely. There is now an additional EULA for the WIF SDK that allows developers to redistribute the WIF runtime with their application when they develop an application using WIF. See the WIF SDK supplemental EULA in the list of possible downloads (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504).
A: The key type is part of the RST; either set it manually when using WSTrustChannelFactory, or set it on the binding when you use the automatic token request facility in WCF. The setting is - issuedKeyType=”SymmetricKey”
View article...
A: Use (Post)AcquireRequestState. This is the first event were session state is available
A: You can set the home realm parameter 'whr' (in config or programmatically) when redirecting to ADFS2. The value must be the issuer URI value of the desired claims provider.
A: The short answer is no, not really.
Storage of identity information as well as management of that data should belong to the third party. Therefore, the third party needs to provide an external way of providing that information through a report or some other means.
The idea is that the user store is theoretically a black box, and the only information you can get out of it is the information that the user is willing to give you (via the token) and only when the user is willing to give it to you.
Also see the discussion under the section, How Can You Get a List of All Possible Users and All Possible Claims.
See http://msdn.microsoft.com/en-us/library/ff359108.aspx for more information.
A: You can use the <authorization /> element in web.config
For example:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
A: Review the following page for security consideration when developing and deploying claims aware applications - Security Considerations
A: Yes, consider reviewing WIF OAuth Extensions Sample published here - https://connect.microsoft.com/site1168/Downloads
A: Set true for the enable attribute of the tokenReplayDetection element in configuration file
A: Review the list of code samples here (scroll down to Code Samples bullet) - http://blogs.msdn.com/b/alikl/archive/2010/10/21/windows-identity-foundation-wif-sdk-overhaul.aspx
A: Yes, review the following whitepaper that walks you through the exact steps how to accomplish just that - Single Sign-On from Active Directory to a Windows Azure Application Whitepaper
ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'). I created a relying party in ACS and used SWT as the token format. Then I used "Add STS reference..." to my web app and pointed it to https://MyApp.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml. If I switched to use SAML 2.0 token format, it works just fine.
A: WIF does not include a security token handler for SWT. You can find a sample here: http://zamd.net/2010/07/31/using-wif-for-securing-rest-service/
I wouldn't put too many bets on SWT - seems it will soon be replaced by JWT (of course the good thing about WIF is, that these details are abstracted away from an application point of view). View article...
A: No - the session token (which holds the bootstrap token) gets generated from the IClaimsPrincipal - that's after decryption. But the session token itself is encrypted by default. View article ...
A: You can use the SAML security token handler's WriteToken method. This writes to an XmlWriter. Then convert this to a string. e.g.; var sb = new StringBuilder(128); handler.WriteToken(new XmlTextWriter(new StringWriter(sb)), token); View article ...
Is it the public key used to decrypt the token? <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">W6QZ8TBjeMzd2YdBldib7pOVvT8= How is the key identifier used to fetch right key material and verify the signature and how to do this programmatically?
A: There are multiple possible key identifiers - e.g. a thumbprint or the complete certificate is embedded inside the token / signature. On the receiving end - the SecurityTokenResolver classes are used to fetch the right key material (e.g. from the certificate store or re-hydrate the cert from the embedded base64 string inside the token)l. The key identifier for signatures is a hint for the receiver of the token. This hint must be sufficient enough for the receiver to fetch the right key material to verify the signature. View article ...
A: But you can use WIF to create plumbing for WCF REST services. See library at http://identitymodel.codeplex.com has samples for that. View article ...
A: When using WSTrustChannelFactory from WIF you can include arbitrary information in the RST. There's also a sample in the SDK. If you want to go the custom WCF service way - you have to populate a SecurityTokenDescriptor class and pass that to the SamlxxSecurityTokenHandler's CreateToken method. But i can tell you that this is not trivial - when you want to use the token for back-end WCF services you also have to deal with proof keys e.g. / View article ...
What sort of keys? X509 is public/private key. I want to use sn.exe and generate keys using which I want to encrypt the message.
A: That's not very common practice - but at the end of the day - a certificate (plus priv key) is just a byte[]. So no need to reinvent the wheel. You can use makecert to create your own X509 keys. View article ...
We have a SaaS product that provides SSO with Ping but one of our client wants to use Win2003 ADFS on the IDP side. I would like to test our app connect with an Win 2003 ADFS as IDP. Is there a blog or site with steps to connect ADFS with Ping?
A: Does this training piece help? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b24dbe27-5bea-4564-bf7d-c077af69e997&displaylang=en View article ...
My claims based app is working fine on my development machine. I have been using the production ADFS 2 server to retrieve claims and all seems to be working well. I normally use MSDeploy to automate my deployments and any assistance on which sections of web.config need to be modified and how would be much appreciated. In particular, how do I set/modify those strings of hex digits? Where do I get the production values from? Do I need to install fedutil on the production machine? There is a video somewhere that I saw some time ago but have lost the reference for it which had a section on how to deploy to production, if anyone knows what I am talking about that would be great! I recall that there was something about adding a name attribute to the microsoft.identityModel/service element but I forget the details. Any pointers or advice would be welcome.
A: I think this is the training video you are looking for: http://www.microsoftpdc.com/2009/SVC17
A: WIF builds upon System.IdentityModel. You typically use the Microsoft.* classes like Claim and ClaimTypes etc.
I know this is sometimes confusing - but whenever you have a choice between System.* and Microsoft.* - choose Microsoft.* View article ...
A: There is a new topic on MSDN that completely describes the WIF Configuration file, its various components and usage examples.