Friday, August 21, 2015

IIS : Errors with web.config

Had a situation where I had a legacy website that I was attempting to convert to WIF and claims-based and when I ran the application, all I got was a white screen and the application just hung.

Not that familiar with the application but obviously it somehow hides errors from the user.

There was error logging but nothing in the logs.

I was completely baffled.

So I loaded IIS Manager and started looking at various controls e.g. ".NET Authorisation", ".NET Error Pages", "SSL Settings" etc. in some kind of hope that I would notice something that would give me a clue.

Then I clicked on "Default Document" and lo and behold it threw an exception because of an error in web.config.

This application has a huge web.config and in hand-crafting the WIF constructs I'd duplicated some sections.

So I did a "rinse and repeat" until IIS Manager showed me the default documents.

Makes sense - to get the default documents IIS Manager has to parse the web.config and throws exceptions if it can't.

Really neat trick to remember.

Of course. it would be cooler if VS actually did this for you!


Monday, August 17, 2015

Azure Access Panel : Federating with a SAML IDP (ADFS)

There is a new feature in Azure Active Directory where you can configure SAML 2.0 access to a 3rd party application that is not in the Gallery

Refer : “Bring your own app” with Azure AD Self-Service SAML configuration

I'm not going to repeat what's there but I thought that I would get this working to Active Directory Federation Services (ADFS). I have Server 2016 TP2 so I simply used that.

On the ADFS side, you need the Azure Active Directory (AAD) metadata. Not going into that - there's a zillion blogs on how to add a new Claims Provider.

In AAD, under "Applications" with the filter "Applications my company owns", select one and at the bottom you'll see "View Endpoints".

Click on that and you'll see:

Click on the "Copy" image on the right and import that metadata into ADFS.

Now I don't have an actual SAML 2.0 application i.e. an application with a SAML 2.0 client side stack. This is mainly because Microsoft don't have SAML client side support - you need to purchase a commercial one or use one of the open-source ones.

Refer : SAML : SAML connectivity / toolkit for some ideas.

So I'm just going to use the IDPInitiated page. That's enough to do a PoC to figure out how this stuff works.

Beware : ADFS : .IdPInitiatedSignonPageDisabledException 

The URL is:


So the configuration page inside of AAD is:

You would obviously have to put in the real "Reply URL" for an actual application etc.

The next page when you configure the "other" side i.e. ADFS you can ignore because you did that when you imported the metadata.

Give your users access rights as per the blog link above and then you will see your application in the Access Panel i.e.

Click on the application icon, sign into AAD and you'll see:

If you use Firefox to run the Access Panel, add the "SAML Tracer" extension and when you click the icon, you'll see

in the trace.

The two SAML packets are the AuthnRequest and the Response ID.

Inside the Response ID, you'll see the attributes that you configured under the "Attributes" tab as per the blog link above.

Of course, it's much easier if the application you want is already in the Gallery and you just have to go through a simple wizard to achieve the same result :-)


ADFS : .IdPInitiatedSignonPageDisabledException

This is using Server 2016 TP2 but also applies to 2012 R2 with Active Directory Federation Services (ADFS / "AD FS").

I was looking at the IDPIntiated page i.e.


and got this error:

Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.


So Mr. Google to the rescue and I found that in these editions it has been disabled.

@Jorge blogged about it but unfortunately he watermarks his images and the watermark totally obscures the PowerShell command!


AllowSystemServiceAdministration           : False
AllowLocalAdminsServiceAdministration      : True
CurrentFarmBehavior                        : Threshold
DeviceUsageWindowInDays                    : 7
EnableIdpInitiatedSignonPage               : False

See the problem right there on the last line?

So we run:

 set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Problem solved:

AllowSystemServiceAdministration           : False
AllowLocalAdminsServiceAdministration      : True
CurrentFarmBehavior                        : Threshold
DeviceUsageWindowInDays                    : 7
EnableIdpInitiatedSignonPage               : True


Friday, August 14, 2015

Musings : So you want to be an Identity guru

This is in the Microsoft space because that's where I play.

And I don't dabble in FIM (now called MIM) so I won't cover that area.

This is somewhat of a progressive post - I'll keep adding to it as and when.

It's based on my personal experience - kind of how I got here.

First of all be very clear - it's not easy and it involves a lot of commitment - which implies after-hours reading etc.

Secondly, you need to decide the scope. Is it ADFS, WIF, ACS, ADAL, OWIN, Azure AD, on premises AD etc?

OK - that's a huge list right there, And no, I'm not an expert in all theses field but I know my way around them and I know where to look when I need information.

Thirdly, do you want to be (in cloud terms) PaaS or IaaS (Platform or Infrastructure as a Service) i.e. do you want to be coding an OWIN interface or do you want to be installing ADFS and figuring out firewall, VIP and VPN rules?

You have to be across both but I'm more a PaaS kind of guy.

Perhaps the best way to start is to have a look at the samples section below, choose one, down load, run, get it working, see how it works, use Fiddler to see the actual protocol on the wire etc.

So in no particular order:

Certificates - how to generate, how to install, how to troubleshoot.


You don't need a deep knowledge but you need to understand the basics e.g. public / private keys.

I personally own:

The Code Book: The Secret History of Codes and Code-breaking
Cryptography: A Very Short Introduction (Very Short Introductions) (Actually, the whole VSI series is worth a look),
Codes, Ciphers and Secret Writing 

and the heavy artillery!

Applied Cryptography: Protocols, Algorithms and Source Code in C


AD blog
Ask Premier Field Engineering
Ask Directory Services
Cloud Identity -Vittorio Bertocci's blog - must read
The Access Onion

Microsoft Identity Books

A Guide to Claims-Based Identity and Access Control
(You can buy it but it's a free download).
Programming Windows Identity Foundation
Microsoft Windows Identity Foundation Cookbook
Modern Authentication with Active Directory for Web Applications


You need to get to the point where you can jump in and actively contribute - don't worry - we don't bite and new blood is always welcome.

stackoverflow - There are tags for adfs, wif, adal, saml-2.0 etc.
Claims based access platform (CBA) code name Geneva - Geneva was the original code name for ADFS


WS Federation

WS Federation

SAML 2.0

How To Learn SAML
SAML Technical Overview

OAuth 2

OAuth 2.0 
OpenID Connect


Microsoft Azure Active Directory Samples and Documentation

These include ADAL samples and samples of how to use all the different protocols.


Thursday, August 13, 2015

Misc : European law for cookies

Apparently, European law requires a notice that this site uses cookies.

"European Union (EU) laws require you to give EU visitors information about cookies used on your blog. In many cases, these laws also require you to obtain consent.

As a courtesy, we have added a notice on your blog to help meet these regulations."

So Google has added this feature to Blogger.

If you go to e.g. nzpcmad.blogspot,fr (for France), you see:

Very neat!

BTW: From reading Troy Hunt's blog, I found that he also uses Blogger :-).


Wednesday, August 05, 2015

WIF : Federation Metadata Generation Tools

This question pops up frequently on various forums:

How do I generate metadata?

So I thought I'd collect a few links:

(Note: I haven't tried all of these - they may or may not work - use at your own risk - backup current metadata first if required).

Federation Metadata Generation Tool

STS Federation Metadata Editor

Also, have a look at the code inside:

Identity Server

You will see that it's generated dynamically.

Geneva-based WS-Federation metadata document generation wizard


Monday, August 03, 2015

AAD : Access Panel extension doesn't have an "Enable" button

Playing with the Azure Access Panel ( and needed to install the Access Panel Extension. I was using IE 11 at the time (Yeah - I know :-) ).

Problem was at the end of the install, it says "Click the Enable button" and said button was MIA.

Help file here:  Troubleshooting the Access Panel Extension for Internet Explorer.

I didn't bother with the Diagnostic Tool.

There's a section that describes how to check if the extension is enabled.

In short:

Tools / Internet Options / Programs / Manage add-ons / Select Access Panel Extensions / Click Enable (bottom right).

Close and restart IE.