Wednesday, October 01, 2014

ADFS : ADFS 3.0 - no web.config

I've blogged before about the changes in ADFS 3.0 on Server 2012 R2.

No IIS so no web.config.

Hang on - what about things like:

<context hidden="true" />
<error page="Error.aspx" />
<acceptedFederationProtocols saml="true" wsFederation="true" />
<homeRealmDiscovery page="HomeRealmDiscovery.aspx" />
<persistIdentityProviderInformation enabled="true" lifetimeInDays="30" /> 

They are no longer there.

The trick is to use PowerShell: (Thanks @paullem!)



Set-AdfsWebConfig -ContextCookieEnabled $True -HRDCookieEnabled $True -HRDCookieLifetime 30


Wednesday, September 24, 2014

Misc : Popular posts

There is a little widget that's supposed to do this but here are the actual statistics.

Notice the number of ADFS hits!


Misc : GitHub for Windows - Clone in Desktop

GitHub for Windows is a neat tool but suffers from a severe lack of documentation.

I find a project I like, click "Clone in Desktop" on the RHS and it takes me to a screen saying "Download GitHub for Windows" even though I have the damn thing already installed.

So ^^%$$% frustrating.

Mr. Google to the rescue and after a number of false starts (Google sucks more and more at delivering useful search results) I discovered that you need to log-in first on the GitHub site.

Then all is OK.

Going by the number of hits I found on this, 99% of this would be avoided if GitHub put a notice to that effect on the page e.g.

"You must first Login".


Tuesday, September 23, 2014

ADFS : The joys of hidden context

Playing around with ADFS 3.0 on Server 2012 R2 and found yet another difference with ADFS 2.x.

Imagine you have a number of .NET applications going via ADFS as a RP-STS going to another IP-STS.

Now on the IP-STS you want to know which RP the authentication request is coming from.

All the ADFS requests are coming through one channel so parameters like "Referer: " are useless.

In your RP web.config you can add a parameter like wreply or wtrealm as per wsFederation.

You'll see these in the URL going to ADFS in the &wctx section. But there's nothing going to the IP-STS. ADFS "removes" them. Instead there is a &wctx which is a GUID.

And there is a cookie on the way which looks like:


where xxxyyy is Base64 encoded.

In ADFS 2.0, there was an entry in the web.config which told ADFS not to encode this information in a cookie but to send it as part of the query string - which makes for a lll-oon-nnn-ggg query string!

This entry was:

context hidden="true"
But in ADFS 3.0 there is no actual web.config, You have to look in:


and there's a file called:


but it has no such entry.

The trick is to use PowerShell:

 Set-AdfsWebConfig -ContextCookieEnabled $False


Friday, August 08, 2014

ADFS : Certificate details in the metadata

Common problem - you get sent some metadata that contains certificate info. and then get an error when you try and import it.

Would be really useful to see the actual certificate, right?

Good news is that help is at hand.

In the metadata file, you'll see something like:

<KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="">

Then there's the actual certificate info. which is in Base64.

Copy it - the stuff between the open and closing ds:X509Certificate tag.

Now paste that into an editor - Notepad++ is my poison of choice.

Then save that as a .cer file.

Now double-click on the file in Explorer.

Job done!


Wednesday, July 23, 2014

stackoverflow : 500 answers

Finally hit the mark.

If you calculate that I try to answer one question every day and 5 weekdays per week, then:

500 / 5 = 100 weeks ~ 2 years to get here!

Actually, it's taken almost 6 years.

Can do better!


Monday, July 21, 2014

SAML : I want to test my code

This question pops up frequently on the forums.

"I have written my own custom IDP / SP. How can I test it against some instance that's publicly available?"

There are a range of commercial products e.g. Tivoli, Oracle, Ping Identity. OpenAM which all deliver this functionality but they are complex to set up and are most certainly not free.

If you work in the Microsoft world and have a "spare" Windows server that's domain joined you can use ADFS. This runs on 2008 R2, 2012 and 2012 R2 and supports both IDP and SP mode.

Open source:

* Shibboleth 
*    and also Testshib
* simpleSAMLphp

Both these support IDP and SP mode.


SSOCircle - IDP only
Kentor - IDP only
Feide OpenIDP - IDP only
* Salesforce developer - (IDP / SP)

Beware: These are often simplified and some security checks have been removed so the fact that your code works in these environments does not ensure that they will work in the real world.

There are also some commercial / open source implementations for SAML stacks. These often have test IDP and SP that you can run up for basic testing.

ComponentSpace is one example.
onelogin SAML Toolkits - open source

There are others.


Friday, July 18, 2014

ADFS : ADFS and SAML AuthnContext

This article gives an good overview of the subject:

Authentication Handler Overview

You'll see that normally ADFS will set the AuthnContext to something like "urn:oasis:names:tc:SAML:1.0:am:password" for FBA.

So what happens if you have ADFS as a SP and the IDP demands something else?

If you have a ASP.NET application as the RP, you're in luck. All you have to do is set the wauth parameter as per this article:

Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type

I normally do this in the web.config.

It seems counter-intuitive. wauth is a WS-Fed protocol element not a SAML one but ADFS obviously has the intelligence to pass this through to the SAML IDP in the AuthnContext.

What happens if your RP is SharePoint. Sadly, in this case you are fresh out of options. There are many references to this on the web but nobody appears to have a solution.

You pretty much have to add a proxy to add this element or speak nicely to your IDP provider!

Essentially you have to deconstruct the AuthnRequest, add the AuthnContext stuff and then put it all back together. That's basically just vanilla XML manipulation. However, if the agreement is that the AuthnRequest has to be signed, it's a whole new ballgame. You now have to get your hands on the private key of the SP signing certificate and read the SAML specifications to see which part of the AuthnRequest needs to be the signing input.

If you have certificate rollover set in ADFS, you again are screwed, The signing certificate is not in the certificate store. It's some weird combination of a certificate container in AD, a blob in one of the attributes and a link to the ADFS configuration database.

In this case, turn rollover off, generate your own certificates, place them in the certificate store in the usual manner and you are good to go. Remember to give the application account access to the private key. If that's all Greek, refer:

AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates

under the "Manage private keys" section.


Wednesday, July 09, 2014

ADFS : Claims rules and regex

I answer a lot of claims rules questions over on the forum:

and a lot of them concern regex.

One of the recent ones concerned:
"This works fine. I want to filter groups that are included in outgoing claim to just groups which start with string "SG". So I wrote custom ADFS rule:

c:[Type == "", Value =~
"(?i) ^SG*"]
=> issue(claim = c);"

There's a number of tools to check the regex. I tend to use Expresso.

But then I came across an article which showed an easy way to check this in PowerShell.

PS C:\> "SG1234" -match '(?i)^SG*'
PS C:\> "abcSG1234" -match '(?i)^SG*'
PS C:\> "SG1234" -match '(?i)^SG.'
PS C:\> "SG" -match '(?i)^SG.'
PS C:\> "SG" -match '(?i)^SG'

 ... and you can see some of the other strings I played around with.



Friday, July 04, 2014

Monday, June 30, 2014

ADFS : VS 2013 and FedUtil

In VS 2013, there was a wizard called FedUtil which handled the "binding" between your WIF project and ADFS, sorted out the web.config configuration etc.

In VS 2012, this wizard was called the "Identity and Access Tool"

In VS 2013, there was - oh that's right - nothing!

But, fear not, there is a way.

Using VS 2013 Update 2:

  • Create an ASP.NET Web Application
  • Click "Change Authentication"
  • Select the "Organisational Accounts" radio button
  • In the "Cloud - Single Organisation" drop down - select "On-Premises"
  • Under "On-Premises Authority", enter the ADFS Metadata URL
  • Under "App ID URI", type the identifier or leave blank for default
  • Click "OK"
  • Back on the "New ASP.NET Project" screen, Authentication should say "Organisational Auth (On-Premises)"
  • Click OK
  • Done

When the project is created, you'll see the web.config has been updated.


Monday, June 23, 2014

Stackoverflow : 15,000 rep

Well, taken a while but just crossed that boundary!

So I can now:

"protect questions

Privilege type: Moderation privilege
Awarded at: 15,000 reputation"

Only one more privilege to get:

"trusted user
Privilege type: Milestone privilege
Awarded at: 20,000 reputation"

So just a small matter of another 5,000!

Why do I do it? - basically:

  • I like helping people
  • I try and evangelise Identity - and this is a good way to do it
  • I learn something every time I research an answer

Most of the time, I pretty much know the answer but it's that quest for the "perfect" answer that leads to research which leads to me better understanding something.

Also, half the time when I try and explain something I realise I don't understand it as well as I thought I did or as well as I should!

See An Ode to Server Fault for a similar viewpoint.