Friday, August 08, 2014

ADFS : Certificate details in the metadata

Common problem - you get sent some metadata that contains certificate info. and then get an error when you try and import it.

Would be really useful to see the actual certificate, right?

Good news is that help is at hand.

In the metadata file, you'll see something like:

<KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="">

Then there's the actual certificate info. which is in Base64.

Copy it - the stuff between the open and closing ds:X509Certificate tag.

Now paste that into an editor - Notepad++ is my poison of choice.

Then save that as a .cer file.

Now double-click on the file in Explorer.

Job done!


Wednesday, July 23, 2014

stackoverflow : 500 answers

Finally hit the mark.

If you calculate that I try to answer one question every day and 5 weekdays per week, then:

500 / 5 = 100 weeks ~ 2 years to get here!

Actually, it's taken almost 6 years.

Can do better!


Monday, July 21, 2014

SAML : I want to test my code

This question pops up frequently on the forums.

"I have written my own custom IDP / SP. How can I test it against some instance that's publicly available?"

There are a range of commercial products e.g. Tivoli, Oracle, Ping Identity. OpenAM which all deliver this functionality but they are complex to set up and are most certainly not free.

If you work in the Microsoft world and have a "spare" Windows server that's domain joined you can use ADFS. This runs on 2008 R2, 2012 and 2012 R2 and supports both IDP and SP mode.

Open source:

* Shibboleth 
*    and also Testshib
* simpleSAMLphp

Both these support IDP and SP mode.


SSOCircle - IDP only
Kentor - IDP only
Feide OpenIDP - IDP only
* Salesforce developer - (IDP / SP)

Beware: These are often simplified and some security checks have been removed so the fact that your code works in these environments does not ensure that they will work in the real world.

There are also some commercial / open source implementations for SAML stacks. These often have test IDP and SP that you can run up for basic testing.

ComponentSpace is one example.
onelogin SAML Toolkits - open source

There are others.


Friday, July 18, 2014

ADFS : ADFS and SAML AuthnContext

This article gives an good overview of the subject:

Authentication Handler Overview

You'll see that normally ADFS will set the AuthnContext to something like "urn:oasis:names:tc:SAML:1.0:am:password" for FBA.

So what happens if you have ADFS as a SP and the IDP demands something else?

If you have a ASP.NET application as the RP, you're in luck. All you have to do is set the wauth parameter as per this article:

Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type

I normally do this in the web.config.

It seems counter-intuitive. wauth is a WS-Fed protocol element not a SAML one but ADFS obviously has the intelligence to pass this through to the SAML IDP in the AuthnContext.

What happens if your RP is SharePoint. Sadly, in this case you are fresh out of options. There are many references to this on the web but nobody appears to have a solution.

You pretty much have to add a proxy to add this element or speak nicely to your IDP provider!

Essentially you have to deconstruct the AuthnRequest, add the AuthnContext stuff and then put it all back together. That's basically just vanilla XML manipulation. However, if the agreement is that the AuthnRequest has to be signed, it's a whole new ballgame. You now have to get your hands on the private key of the SP signing certificate and read the SAML specifications to see which part of the AuthnRequest needs to be the signing input.

If you have certificate rollover set in ADFS, you again are screwed, The signing certificate is not in the certificate store. It's some weird combination of a certificate container in AD, a blob in one of the attributes and a link to the ADFS configuration database.

In this case, turn rollover off, generate your own certificates, place them in the certificate store in the usual manner and you are good to go. Remember to give the application account access to the private key. If that's all Greek, refer:

AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates

under the "Manage private keys" section.


Wednesday, July 09, 2014

ADFS : Claims rules and regex

I answer a lot of claims rules questions over on the forum:

and a lot of them concern regex.

One of the recent ones concerned:
"This works fine. I want to filter groups that are included in outgoing claim to just groups which start with string "SG". So I wrote custom ADFS rule:

c:[Type == "", Value =~
"(?i) ^SG*"]
=> issue(claim = c);"

There's a number of tools to check the regex. I tend to use Expresso.

But then I came across an article which showed an easy way to check this in PowerShell.

PS C:\> "SG1234" -match '(?i)^SG*'
PS C:\> "abcSG1234" -match '(?i)^SG*'
PS C:\> "SG1234" -match '(?i)^SG.'
PS C:\> "SG" -match '(?i)^SG.'
PS C:\> "SG" -match '(?i)^SG'

 ... and you can see some of the other strings I played around with.



Friday, July 04, 2014

Monday, June 30, 2014

ADFS : VS 2013 and FedUtil

In VS 2013, there was a wizard called FedUtil which handled the "binding" between your WIF project and ADFS, sorted out the web.config configuration etc.

In VS 2012, this wizard was called the "Identity and Access Tool"

In VS 2013, there was - oh that's right - nothing!

But, fear not, there is a way.

Using VS 2013 Update 2:

  • Create an ASP.NET Web Application
  • Click "Change Authentication"
  • Select the "Organisational Accounts" radio button
  • In the "Cloud - Single Organisation" drop down - select "On-Premises"
  • Under "On-Premises Authority", enter the ADFS Metadata URL
  • Under "App ID URI", type the identifier or leave blank for default
  • Click "OK"
  • Back on the "New ASP.NET Project" screen, Authentication should say "Organisational Auth (On-Premises)"
  • Click OK
  • Done

When the project is created, you'll see the web.config has been updated.


Monday, June 23, 2014

Stackoverflow : 15,000 rep

Well, taken a while but just crossed that boundary!

So I can now:

"protect questions

Privilege type: Moderation privilege
Awarded at: 15,000 reputation"

Only one more privilege to get:

"trusted user
Privilege type: Milestone privilege
Awarded at: 20,000 reputation"

So just a small matter of another 5,000!

Why do I do it? - basically:

  • I like helping people
  • I try and evangelise Identity - and this is a good way to do it
  • I learn something every time I research an answer

Most of the time, I pretty much know the answer but it's that quest for the "perfect" answer that leads to research which leads to me better understanding something.

Also, half the time when I try and explain something I realise I don't understand it as well as I thought I did or as well as I should!

See An Ode to Server Fault for a similar viewpoint.


Thursday, May 29, 2014

ADFS : Customising the screen for ADFS 2012 R2 or ADFS 3.0 or ADFS 2.2

Apologies for the title but there doesn't seem to be a standard for what the R2 version of ADFS is called so I included them all to ease the Google / Bing / Duck Duck Go search

If there's one question that has become flavour of the month lately this is it. There are many questions around customising the logon / login / sign on pages.

Some of them refer to customising the pages for Multi-Factor Authentication (MFA). Just remember that you can now do this with a Microsoft solution. Refer: Azure Multi-Factor Authentication. Note that this doesn't have to be cloud based. There is an on-premise variation.

In ADFS 2.0, the functionality was implemented as a web site running on IIS so you could customise to your heart's content changing the .aspx and the .cs pages.

My guess is that some people who didn't really understand the implications of what they were doing customised the pages in sub-standard ways and things went wrong and Microsoft copped the blame for pushing a crap product.

Remember - security in a web application is hard - writing a security application is even harder,

So in ADFS 3.0 this was all locked down. The biggest change was that it no longer uses IIS.

Refer: First Impressions – AD FS and Windows Server 2012 R2 – Part I

There are some PowerShell commands  you can use to customise the screens

Refer: Customizing the AD FS Sign-in Pages

and Advanced Customization of AD FS Sign-in Pages.

There are some good suggestions here:

adfs 2012 R2 forms authentication default login domain

Beware: one of the suggestions here is to modify the .dll. I would strongly suggest that you don't go down this particular rabbit hole!

And a good write up here:

Handling Expired Passwords in AD FS 2012 R2


Wednesday, May 28, 2014

Visual Studio : Extending the user profile for organisational accounts in Azure

When you use VS 2013 and choose the web application option and then change the authentication options to use organisational accounts, you get a lot of template code which shows you some of the attributes in the user profile derived from Azure Active Directory (AAD).

You can see this if you click on the name of the logged-in user once the application is running and you have authenticated.

What if you want to extend this?

The first step is to find out what the attribute is called?

The easiest way to do this is to use the Graph Explorer.

Click "Use Demo Company" then "Get" then click on:


You'll get a list of the AAD schema attributes e.g if you want the user department, you'll see the name is "department".

In the VS project under "Models / HomeViewModels.cs" add another line e.g.

public string Department { get; set; }

Under "Views / Home / UserProfile.cshtml" add another line e.g.

This uses Razor syntax - you may have something different but you get the general idea.

The key to this is under "Controllers / HomeController.cs" where:

UserProfile profile = JsonConvert.DeserializeObject(responseString);
 leverages the power of the JSON library to serialize the attributes you have defined.

Job done.


Friday, May 23, 2014

Security : Secret Q & A

Came across an interesting idea for the answers to those ubiquitous secret Q & A they use for authentication.

If you see someone lives in NZ and the question is:

Where where you born?

a hacker could answer "Auckland" / Wellington" / "Christchurch" / "Dunedin" and that would cover about 80% of the possibilities since e.g. over 25% of the people in NZ live in Auckland.

So the suggestion is to use a random phrase to answer everything.


"Where were you born"?  = Puddleduck
"Mother's maiden name"? = Puddleduck

and so on.


Tuesday, May 06, 2014

Azure : Deploying a Java web site to Azure

Well, who would ever think that the words "Azure" and "Java" would be used in the same sentence?

I'm not talking about the Azure VM here; rather the Azure web site option.

As Mrs. Beaton would say "First catch your rabbit". For Java, this becomes "First catch your .war file".

You can create a simple Java web site in either Eclipse or NetBeans - whatever floats your boat.

Work through the following documentation:

Get started with Azure web sites and Java

Adding an application to your Java web site on Azure

I used the "Create a Java web site using the Azure configuration UI" option.

OK, but when you display the web site URL, you get the "This Java based application has been successfully created". So where's my index.jsp?

From the dashboard of the Azure web site, you'll see the FTP address. I use FileZilla.

Before you can use this, you have to set the credentials. There's a link under "Quick Glance" called "Reset your deployment credentials". So set them.

Assume your web site is called MyJavaWebSite.

So to get FileZilla to work, you use the FTP URL from the dashboard page, your user name is:


and the password is whatever you chose.

On the LHS menu, navigate to your war file. On the RHS, navigate to:


Copy the war file over.

Now navigate to the actual Azure web site URL. Still shows the canned screen.

So append  /MyJavaWebSite/index.jsp to the URL.