Thursday, May 29, 2014

ADFS : Customising the screen for ADFS 2012 R2 or ADFS 3.0 or ADFS 2.2

Update:

More comprehensive write-up here.

Apologies for the title but there doesn't seem to be a standard for what the R2 version of ADFS is called so I included them all to ease the Google / Bing / Duck Duck Go search

If there's one question that has become flavour of the month lately this is it. There are many questions around customising the logon / login / sign on pages.

Some of them refer to customising the pages for Multi-Factor Authentication (MFA). Just remember that you can now do this with a Microsoft solution. Refer: Azure Multi-Factor Authentication. Note that this doesn't have to be cloud based. There is an on-premise variation.

In ADFS 2.0, the functionality was implemented as a web site running on IIS so you could customise to your heart's content changing the .aspx and the .cs pages.

My guess is that some people who didn't really understand the implications of what they were doing customised the pages in sub-standard ways and things went wrong and Microsoft copped the blame for pushing a crap product.

Remember - security in a web application is hard - writing a security application is even harder,

So in ADFS 3.0 this was all locked down. The biggest change was that it no longer uses IIS.

Refer: First Impressions – AD FS and Windows Server 2012 R2 – Part I

There are some PowerShell commands  you can use to customise the screens

Refer: Customizing the AD FS Sign-in Pages

and Advanced Customization of AD FS Sign-in Pages.

There are some good suggestions here:

adfs 2012 R2 forms authentication default login domain

Beware: one of the suggestions here is to modify the .dll. I would strongly suggest that you don't go down this particular rabbit hole!

And a good write up here:

Handling Expired Passwords in AD FS 2012 R2

Enjoy!

Wednesday, May 28, 2014

Visual Studio : Extending the user profile for organisational accounts in Azure

When you use VS 2013 and choose the web application option and then change the authentication options to use organisational accounts, you get a lot of template code which shows you some of the attributes in the user profile derived from Azure Active Directory (AAD).

You can see this if you click on the name of the logged-in user once the application is running and you have authenticated.

What if you want to extend this?

The first step is to find out what the attribute is called?

The easiest way to do this is to use the Graph Explorer.

Click "Use Demo Company" then "Get" then click on:

"https://graph.windows.net/GraphDir1.OnMicrosoft.com/users".

You'll get a list of the AAD schema attributes e.g if you want the user department, you'll see the name is "department".

In the VS project under "Models / HomeViewModels.cs" add another line e.g.

public string Department { get; set; }

Under "Views / Home / UserProfile.cshtml" add another line e.g.

<td>Department</td>
<td>@Model.department</td>
This uses Razor syntax - you may have something different but you get the general idea.

The key to this is under "Controllers / HomeController.cs" where:

UserProfile profile = JsonConvert.DeserializeObject(responseString);
 leverages the power of the JSON library to serialize the attributes you have defined.

Job done.

Enjoy!

Friday, May 23, 2014

Security : Secret Q & A

Came across an interesting idea for the answers to those ubiquitous secret Q & A they use for authentication.

If you see someone lives in NZ and the question is:

Where where you born?

a hacker could answer "Auckland" / Wellington" / "Christchurch" / "Dunedin" and that would cover about 80% of the possibilities since e.g. over 25% of the people in NZ live in Auckland.

So the suggestion is to use a random phrase to answer everything.

e.g.

"Where were you born"?  = Puddleduck
"Mother's maiden name"? = Puddleduck

and so on.

Enjoy!


Tuesday, May 06, 2014

Azure : Deploying a Java web site to Azure

Well, who would ever think that the words "Azure" and "Java" would be used in the same sentence?

I'm not talking about the Azure VM here; rather the Azure web site option.

As Mrs. Beaton would say "First catch your rabbit". For Java, this becomes "First catch your .war file".

You can create a simple Java web site in either Eclipse or NetBeans - whatever floats your boat.

Work through the following documentation:

Get started with Azure web sites and Java

Adding an application to your Java web site on Azure

I used the "Create a Java web site using the Azure configuration UI" option.

OK, but when you display the web site URL, you get the "This Java based application has been successfully created". So where's my index.jsp?

From the dashboard of the Azure web site, you'll see the FTP address. I use FileZilla.

Before you can use this, you have to set the credentials. There's a link under "Quick Glance" called "Reset your deployment credentials". So set them.

Assume your web site is called MyJavaWebSite.

So to get FileZilla to work, you use the FTP URL from the dashboard page, your user name is:

MyJavaWebSite\username

and the password is whatever you chose.

On the LHS menu, navigate to your war file. On the RHS, navigate to:

/site/wwwroot/webapps

Copy the war file over.

Now navigate to the actual Azure web site URL. Still shows the canned screen.

So append  /MyJavaWebSite/index.jsp to the URL.

Bingo.

Enjoy!