Friday, August 21, 2015

IIS : Errors with web.config

Had a situation where I had a legacy website that I was attempting to convert to WIF and claims-based and when I ran the application, all I got was a white screen and the application just hung.

Not that familiar with the application but obviously it somehow hides errors from the user.

There was error logging but nothing in the logs.

I was completely baffled.

So I loaded IIS Manager and started looking at various controls e.g. ".NET Authorisation", ".NET Error Pages", "SSL Settings" etc. in some kind of hope that I would notice something that would give me a clue.

Then I clicked on "Default Document" and lo and behold it threw an exception because of an error in web.config.

This application has a huge web.config and in hand-crafting the WIF constructs I'd duplicated some sections.

So I did a "rinse and repeat" until IIS Manager showed me the default documents.

Makes sense - to get the default documents IIS Manager has to parse the web.config and throws exceptions if it can't.

Really neat trick to remember.

Of course. it would be cooler if VS actually did this for you!

Enjoy!

Monday, August 17, 2015

Azure Access Panel : Federating with a SAML IDP (ADFS)

There is a new feature in Azure Active Directory where you can configure SAML 2.0 access to a 3rd party application that is not in the Gallery

Refer : “Bring your own app” with Azure AD Self-Service SAML configuration

I'm not going to repeat what's there but I thought that I would get this working to Active Directory Federation Services (ADFS). I have Server 2016 TP2 so I simply used that.

On the ADFS side, you need the Azure Active Directory (AAD) metadata. Not going into that - there's a zillion blogs on how to add a new Claims Provider.

In AAD, under "Applications" with the filter "Applications my company owns", select one and at the bottom you'll see "View Endpoints".



Click on that and you'll see:


Click on the "Copy" image on the right and import that metadata into ADFS.

Now I don't have an actual SAML 2.0 application i.e. an application with a SAML 2.0 client side stack. This is mainly because Microsoft don't have SAML client side support - you need to purchase a commercial one or use one of the open-source ones.

Refer : SAML : SAML connectivity / toolkit for some ideas.

So I'm just going to use the IDPInitiated page. That's enough to do a PoC to figure out how this stuff works.

Beware : ADFS : .IdPInitiatedSignonPageDisabledException 

The URL is:

https://xxx/adfs/ls/IdpInitiatedSignOn.aspx

So the configuration page inside of AAD is:


You would obviously have to put in the real "Reply URL" for an actual application etc.

The next page when you configure the "other" side i.e. ADFS you can ignore because you did that when you imported the metadata.

Give your users access rights as per the blog link above and then you will see your application in the Access Panel i.e.

myapps.microsoft.com

Click on the application icon, sign into AAD and you'll see:



If you use Firefox to run the Access Panel, add the "SAML Tracer" extension and when you click the icon, you'll see

in the trace.

The two SAML packets are the AuthnRequest and the Response ID.

Inside the Response ID, you'll see the attributes that you configured under the "Attributes" tab as per the blog link above.

Of course, it's much easier if the application you want is already in the Gallery and you just have to go through a simple wizard to achieve the same result :-)

Enjoy!

ADFS : .IdPInitiatedSignonPageDisabledException

This is using Server 2016 TP2 but also applies to 2012 R2 with Active Directory Federation Services (ADFS / "AD FS").

I was looking at the IDPIntiated page i.e.

https://xxx/adfs/ls/idpinitiatedsignon.htm

and got this error:

Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.

WTF?

So Mr. Google to the rescue and I found that in these editions it has been disabled.

@Jorge blogged about it but unfortunately he watermarks his images and the watermark totally obscures the PowerShell command!

Get-AdfsProperties

...
AllowSystemServiceAdministration           : False
AllowLocalAdminsServiceAdministration      : True
CurrentFarmBehavior                        : Threshold
DeviceUsageWindowInDays                    : 7
EnableIdpInitiatedSignonPage               : False


See the problem right there on the last line?

So we run:

 set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Problem solved:

AllowSystemServiceAdministration           : False
AllowLocalAdminsServiceAdministration      : True
CurrentFarmBehavior                        : Threshold
DeviceUsageWindowInDays                    : 7
EnableIdpInitiatedSignonPage               : True


Enjoy!

Friday, August 14, 2015

Musings : So you want to be an Identity guru

This is in the Microsoft space because that's where I play.

And I don't dabble in FIM (now called MIM) so I won't cover that area.

This is somewhat of a progressive post - I'll keep adding to it as and when.

It's based on my personal experience - kind of how I got here.

First of all be very clear - it's not easy and it involves a lot of commitment - which implies after-hours reading etc.

Secondly, you need to decide the scope. Is it ADFS, WIF, ACS, ADAL, OWIN, Azure AD, on premises AD etc?

OK - that's a huge list right there, And no, I'm not an expert in all theses field but I know my way around them and I know where to look when I need information.

Thirdly, do you want to be (in cloud terms) PaaS or IaaS (Platform or Infrastructure as a Service) i.e. do you want to be coding an OWIN interface or do you want to be installing ADFS and figuring out firewall, VIP and VPN rules?

You have to be across both but I'm more a PaaS kind of guy.

Perhaps the best way to start is to have a look at the samples section below, choose one, down load, run, get it working, see how it works, use Fiddler to see the actual protocol on the wire etc.

So in no particular order:

Certificates - how to generate, how to install, how to troubleshoot.

Cryptography

You don't need a deep knowledge but you need to understand the basics e.g. public / private keys.

I personally own:

The Code Book: The Secret History of Codes and Code-breaking
Cryptography: A Very Short Introduction (Very Short Introductions) (Actually, the whole VSI series is worth a look),
Cryptanalysis
Codes, Ciphers and Secret Writing 

and the heavy artillery!

Applied Cryptography: Protocols, Algorithms and Source Code in C

Blogs

AD blog
Ask Premier Field Engineering
Ask Directory Services
Cloud Identity -Vittorio Bertocci's blog - must read
The Access Onion
leastprivilege

Microsoft Identity Books

A Guide to Claims-Based Identity and Access Control
(You can buy it but it's a free download).
Programming Windows Identity Foundation
Microsoft Windows Identity Foundation Cookbook
Modern Authentication with Active Directory for Web Applications

Forums

You need to get to the point where you can jump in and actively contribute - don't worry - we don't bite and new blood is always welcome.

stackoverflow - There are tags for adfs, wif, adal, saml-2.0 etc.
Claims based access platform (CBA) code name Geneva - Geneva was the original code name for ADFS

Protocols

WS Federation

WS Federation

SAML 2.0

How To Learn SAML
SAML Technical Overview

OAuth 2

OAuth 2.0 
OpenID Connect

Samples

Microsoft Azure Active Directory Samples and Documentation

These include ADAL samples and samples of how to use all the different protocols.

Enjoy!

Thursday, August 13, 2015

Misc : European law for cookies

Apparently, European law requires a notice that this site uses cookies.

"European Union (EU) laws require you to give EU visitors information about cookies used on your blog. In many cases, these laws also require you to obtain consent.

As a courtesy, we have added a notice on your blog to help meet these regulations."

So Google has added this feature to Blogger.

If you go to e.g. nzpcmad.blogspot,fr (for France), you see:


Very neat!

BTW: From reading Troy Hunt's blog, I found that he also uses Blogger :-).

Enjoy!

Wednesday, August 05, 2015

WIF : Federation Metadata Generation Tools

This question pops up frequently on various forums:

How do I generate metadata?

So I thought I'd collect a few links:

(Note: I haven't tried all of these - they may or may not work - use at your own risk - backup current metadata first if required).

Federation Metadata Generation Tool

STS Federation Metadata Editor

Also, have a look at the code inside:

Identity Server

You will see that it's generated dynamically.

Geneva-based WS-Federation metadata document generation wizard

Enjoy!

Monday, August 03, 2015

AAD : Access Panel extension doesn't have an "Enable" button

Playing with the Azure Access Panel (myapps.microsoft.com) and needed to install the Access Panel Extension. I was using IE 11 at the time (Yeah - I know :-) ).

Problem was at the end of the install, it says "Click the Enable button" and said button was MIA.

Help file here:  Troubleshooting the Access Panel Extension for Internet Explorer.

I didn't bother with the Diagnostic Tool.

There's a section that describes how to check if the extension is enabled.

In short:

Tools / Internet Options / Programs / Manage add-ons / Select Access Panel Extensions / Click Enable (bottom right).

Close and restart IE.

Enjoy!

Friday, July 24, 2015

Misc : Just because something is there doesn't mean you have to use it.

I came across a situation recently that made me smile!

For various reasons, this company uses ADFS and IdentityServer 2.0.

They then had a requirement to secute a Web API.

Web API's require a JWT token and they knew that IdentityServer allows you to convert token types for RP i.e.


So the path is Web API --> IS --> ADFS and then return the SAML token and convert to JWT.

It works fine but if they had taken a step back and asked "What is the correct way to do this" and not been sidetracked by the JWT issue, then they would have found a much better solution which is also supported by IS viz. OAuth2.

As it transpired, they needed to authenticate against AD which IS doesn't do and ADFS 3.0 has limited OAuth functionality but when ADFS vNext on Server 2016 comes out, hopefully they will convert the above and use OAuth2!

Enjoy!

Tuesday, July 21, 2015

ADFS : Problems when restarting

This is with Active Directory Federation Services / ADFS / "AD FS" 2012 R2.

Server sometimes hangs during restart.

What I find is that the server is up but the ADFS wizard will not start. It says that the ADFS service is not running. So restart the ADFS service.

Bad idea! Service just sits there saying "Starting". Can't Stop / Restart etc.

So reset the server. Takes a while to come up.

Before starting the ADFS service, start the Microsoft Key Distribution Service” and then start the ADFS service and then start the ADFS wizard.

Some more possibly useful information here.

All OK.

Enjoy!

Tuesday, June 23, 2015

stackoverflow : Tag badges

Finally got my ADFS 2.0 tag badge:


Nice to get some recognition for all those hours helping and mentoring people.

Goes nicely with my others:

Enjoy!


Tuesday, June 16, 2015

Musings : How to reset a password

I've been involved in discussions with a number of customers recently around this very topic and (without exception) everyone has given me a flowchart that is flawed in some way.

People, this problem has already been solved. Why do you want to re-invent the wheel?

The inestimable Troy Hunt blogged on this a while back - Everything you ever wanted to know about building a secure password reset feature .

There's a flowchart at the end of the post which gives a good overview of the type of system that you should be designing.

I used this flowchart as a discussion point against the various "models" I was presented with and in each case, we discussed what was missing and the risks associated with that.

Ultimately, the customer makes the choice - but it's always worth having the discussion so that they are as informed as possible.

And always write down your recommendations so when things turn to custard and the finger points at you, you have something tangible to fall back on.

BTW - you could use most of this as a "Change Password" guide.

Enjoy!

ADFS : Playing around with Postman

This is for Active Directory Federation Services / "AD FS" / ADFS on Windows Server 2016 (currently Technical Preview 2).

My server is in an Azure VM.

I been playing around with Postman and the new OpenID Connect / OAuth2 features in ADFS.

But could not get it to work.

I contacted the Postman people who were very helpful and they advised me that the issue was that the SSL certificate on my VM is self-signed and hence causes the problem. There's no trust. Other than that, there appears to be no issues.

As this is a test VM and is going to be superseded when TP3 comes along, I don't really see any point in paying for a CA certificate.

But it would be nice to see it working :-)

Enjoy!