Monday, March 25, 2013

WIF : Claims Aware Web Service exception


This is with the “Identity and Access Tool” / VS 2012.

When you run the sample and hit Enter, get:

Security negotiation failed because the remote party did not send back a reply in a timely manner. This may be because the underlying transport connection was aborted.

Server stack trace:
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)

When you click on ClaimsAwareWebService.svc in the Directory Listing, you get:

The service cannot be activated because it does not support ASP.NET compatibility. ASP.NET compatibility is enabled for this application. Turn off ASP.NET compatibility mode in the web.config or add the AspNetCompatibilityRequirements attribute to the service type with RequirementsMode setting as 'Allowed' or 'Required'.

So in the web.config, set this to “false”:

serviceHostingEnvironment aspNetCompatibilityEnabled="true"

All good!


WIF : Identity and Access Tool


This happened a while back but there still seems to be confusion.

This only runs on VS 2012.

Also there have been a lot of changes from WIF 1.0 (3.5) to 4.5. The templates, custom STS, FedUtil etc. are no more. Goodbye to the FederatedPassiveSignInControl and FederatedPassiveSignInStatus controls.

Good summary: What's New in Windows Identity Foundation 4.5

Overview: Windows Identity Foundation Tools for Visual Studio 2012 RTM

Details: Windows Identity Foundation in the .NET Framework 4.5 Beta: Tools, Samples, Claims Everywhere

The Identity Training Kit is no more. Examples are spread across separate samples. The full list is in the third link above.


Friday, March 22, 2013

ADFS: Certificate Sharing Container


If you are wondering where this is in AD (and you are not alone in asking that question), it’s to be found under:

Program Data / Microsoft / ADFS

And I believe that this is only used when you enable AutoRollover.


Misc: .NET 4.5 / Windows Identity Foundation should include SAMLP support


Damn fine idea – 100% agree.

We need full SAML support – ala the old WIF 3.5 CTP.

Vote here: .NET 4.5 / Windows Identity Foundation should include SAMLP support.

And yes – I voted.


Wednesday, March 20, 2013

Rant: If you are already in a hole ..


Well – YAC – Yet Another Category!

The actual quote is “If you are already in a hole, stop digging”.

I see this every day. We go to a customer, talk about claims-enabled applications. talk about WIF and ADFS, SAML, SSO etc. and the customer is happy.

Then they ask “Actually we’ve got this open-source gateway product that we use. Can ADFS work with it?”. This gateway product is a “sort-of” AM ala TMG, UAG, OpenAM etc.

The correct response is “Sorry, we can’t be experts in every product in the known universe. You probably need to go back to the vendor. We might be able to help but it’s on a ‘best endeavour’ basis – no guarantees”.

The incorrect response is “OK no problem, we’ll check it out”. The customer interprets this as “OK – now it’s your problem”.

Two months later – one pissed-off customer – the guy who wrote the product is somewhere in Siberia – doesn’t answer emails – and we keep on digging the hole deeper.

Tell the customer up front – we are IDENTITY people NOT network people. If they want to get pissed off, well and good – they can find someone else to sort it out!


Thursday, March 14, 2013

ADFS : Using the SAML NameID to map IdP / SP claims

Imagine two companies: Fabrikam and Contuso. Fabrikam has a SaaS application in the cloud that Contuso wants to use. Fabrikam supports SAML authentication and is a SP. Contuso uses ADFS as an IP.

So all the pieces are in place and it should just work no problem. Dream on.

There needs to be a “primary key” that links the two companies together for a session.

Assume Contuso has an employee – the ubiquitous Joe Bloggs - and Joe needs access to the application.

So Contuso has to send Fabrikam a table of users – among which is Joe Bloggs. This table can be sent as XML, xls, text or whatever.

Fabrikam imports these users into the Contuso section of their database.

They also have to agree on what attribute of each user is the primary key e.g. sAMAcountName, email address, AD GUID …

Assume they choose email – this is the NameID.

So when Fabrikam get an AuthNResponse from Contuso, they extract the NameID and use that as the key into their table.

There is one further complication. The SAML spec. allows the NameID to be sent in a number of formats e.g. Unspecified, Email, X509 Subject Name…

This is important. If one side expects the email format e.g. and the other side is expecting X509 Subject Name e.g., OU=Dev,O=Contuso,C=NZ, you can predict that there will be problems.

So they both have to agree. Assume they choose email address.

To configure this in ADFS:

Configure the email address as the normal “Send LDAP Attributes as Claims”.

Then configure a “Transform an Incoming Claim” rule which takes “Incoming Claim Type” of email and maps it to “Outgoing Claim Type” of NameID which has an “Outgoing NameID Format” of email.

Problem solved!