The latest code is always available from the Vault (a VSS lookalike).
(NOTE: The code under the "Source" tab at www.opennetcf.org is NOT the latest).
For multiple files, install the Vault client application from here:
http://www.sourcegear.com/vault/downloads.html
or
For single files, direct from source control here:
http://vault.netcf.tv/VaultService/VaultWeb/login.aspx
login = guest
password = guest
Enjoy!
Friday, October 23, 2015
ADFS : Differences across versions
This is for Active Directory Federation Services / ADFS / "AD FS".
|
|
2008 R2 (ADFS v2.0)
|
2012 (ADFS v2.1)
|
2012 R2 (ADFS v3.0)
|
2016 vNext (ADFS v4.0?)
|
|
|
|
|
|
|
|
Runs on IIS
|
Y
|
Y
|
N
|
N
|
|
|
|
|
|
|
|
.NET
|
3.5
Microsoft.Identity
|
4.5
System.Identity
|
4.5
System.Identity
|
4.6?
System.Identity
|
|
|
|
|
|
|
|
Authenticate against
|
AD
|
AD
|
AD
|
AD
LDAP v3
SQL Server
|
|
|
|
|
|
|
|
WS-Federation
|
Y
SAML 1.1 token
|
Y
|
Y
|
Y
|
|
|
|
|
|
|
|
SAML 2.0
|
Y
SAML 2.0 token
|
Y
|
Y
|
Y
|
|
|
|
|
|
|
|
OpenID Connect support
|
N
|
N
|
N
|
Y
Plus OpenIDConnect
Discovery
|
|
|
|
|
|
|
|
OAuth 2.0 support
|
N
JWT token
|
N
JWT token
|
Y
Authorisation Code Grant only
JWT token
|
Y
All profiles
JWT token
|
|
|
|
|
|
|
|
Device registration
|
N
|
N
|
Y
|
Y
|
|
|
|
|
|
|
|
Password change support
|
N
|
N
|
Y
|
Y
|
|
|
|
|
|
|
|
Application branding with per RP
customisation
|
N
|
N
|
N
|
Y
|
|
|
|
|
|
|
|
Enable delegation for service
admin.
|
N
|
N
|
N
|
Y
|
|
|
|
|
|
|
|
Act as a certificate
authority
|
N
|
N
|
N
|
Y
|
Enjoy!
Wednesday, October 21, 2015
ADFS : Customising ADFS functionality
This post is NOT about customising the look and feel - it's about customising what ADFS actually does.
ADFS 2.0 was built on IIS and was basically a web site so you had the opportunity to adapt the web pages and change some of the flow.
ADFS 3.0 does not use IIS - it's built on top of http.sys so there are no web pages to alter.
Essentially, it's locked down and there's no way in.
So if you need to alter the flow in some way, what can you do?
I've been involved in two projects recently where this was required.
For a WS-Federation project, I added thinktecture's identityserver into the pipeline. This can be both an IDP and a RP. Essentially, it was a proxy.
So RP <--> IdSrv2 <--> ADFS.
It's open source so you can alter the code. It wasn't used for local authentication but rather for pass-through.
You can capture the request on both the up and down stream tracks and alter as required.
For a SAML-P project, I added ComponentSpaces's SAML stack into the pipeline. This can be both an IDP and a SP. Essentially, it was a proxy. (Note this is commercial).
So SP <--> ComponentSpace <--> ADFS.
It's not open source but they provide both IDP and SP examples. You can pretty much merge the two examples together. It wasn't used for local authentication but rather for pass-through.
You can capture the request on both the up and down stream tracks and alter as required.
Enjoy!
ADFS 2.0 was built on IIS and was basically a web site so you had the opportunity to adapt the web pages and change some of the flow.
ADFS 3.0 does not use IIS - it's built on top of http.sys so there are no web pages to alter.
Essentially, it's locked down and there's no way in.
So if you need to alter the flow in some way, what can you do?
I've been involved in two projects recently where this was required.
For a WS-Federation project, I added thinktecture's identityserver into the pipeline. This can be both an IDP and a RP. Essentially, it was a proxy.
So RP <--> IdSrv2 <--> ADFS.
It's open source so you can alter the code. It wasn't used for local authentication but rather for pass-through.
You can capture the request on both the up and down stream tracks and alter as required.
For a SAML-P project, I added ComponentSpaces's SAML stack into the pipeline. This can be both an IDP and a SP. Essentially, it was a proxy. (Note this is commercial).
So SP <--> ComponentSpace <--> ADFS.
It's not open source but they provide both IDP and SP examples. You can pretty much merge the two examples together. It wasn't used for local authentication but rather for pass-through.
You can capture the request on both the up and down stream tracks and alter as required.
Enjoy!
Monday, October 19, 2015
ADFS : Metadata signing
ADFS and pretty much all half-decent IDP's use metadata to transfer stuff like endpoints, bindings, certificates etc.
Sometimes you need to change some part of the metadata e.g. ADFS won't accept any endpoints that aren't https.
So to be able to import the metadata, you have to edit it.
However, if the metadata is signed, it will throw an error.
This is because the signature is a hash value of the contents so obviously if you change the contents you change the hash value.
What to do?
Note: Below is at your own risk as there may be security implications.
Metadata stands on its own. There are no other files involved, links to web collateral etc. So it stands to reason that if the metadata is signed, the fact that it is signed must be recorded somewhere within the metadata.
And in fact it is.
It use the "ds:Signature", "ds:SignedInfo", "ds:SignatureValue" etc. constructs.
So to remove the signature protection, simply delete the entire "ds:Signature" construct, Now you can change anything you want. And by extension so can anybody else!
To repeat: Use at your own risk as there may be security implications.
Enjoy!
Sometimes you need to change some part of the metadata e.g. ADFS won't accept any endpoints that aren't https.
So to be able to import the metadata, you have to edit it.
However, if the metadata is signed, it will throw an error.
This is because the signature is a hash value of the contents so obviously if you change the contents you change the hash value.
What to do?
Note: Below is at your own risk as there may be security implications.
Metadata stands on its own. There are no other files involved, links to web collateral etc. So it stands to reason that if the metadata is signed, the fact that it is signed must be recorded somewhere within the metadata.
And in fact it is.
It use the "ds:Signature", "ds:SignedInfo", "ds:SignatureValue" etc. constructs.
So to remove the signature protection, simply delete the entire "ds:Signature" construct, Now you can change anything you want. And by extension so can anybody else!
To repeat: Use at your own risk as there may be security implications.
Enjoy!
Friday, October 16, 2015
WIF : Wrappers around protocols
Put together this diagram:
So what does this show:
WIF = WS-Fed
OWIN = WS-Fed, OpenID Connect, OAuth
There is no official Microsoft support for SAML-P (P for protocol). There are open source libraries and commercial stacks - refer : SAML : SAML connectivity / toolkit.
Just to repeat - WIF and OWIN are not protocols - they are wrappers around protocols.
Enjoy!
So what does this show:
WIF = WS-Fed
OWIN = WS-Fed, OpenID Connect, OAuth
There is no official Microsoft support for SAML-P (P for protocol). There are open source libraries and commercial stacks - refer : SAML : SAML connectivity / toolkit.
Just to repeat - WIF and OWIN are not protocols - they are wrappers around protocols.
Enjoy!
Tuesday, October 13, 2015
ADFS : Beware IIS and ADFS
Just read this post:
2012R2 AD FS WAP proxy problem
This was to do with installing WAP with Active Directory Federation Service and getting:
"Unable to retrieve proxy configuration data from the Federation Server."
The interesting part is the piece at the end:
"Turns out certificate binding precedence is the culprit. While IIS is not required for 2012 R2 ADFS roles anymore, it can actually get in the way if it is on the same machine. Binding cert to default web site in IIS will place an ip:port entry into sslcert bindings, which has a higher precedence than service:port entries that ADFS sets up. Since the IIS entry has no Ctl Store Name, the WAP certificate is placed in a store that is filtered out when ADFS checks for its presence.
Type "netsh http show sslcert" in a terminal on your ADFS machines and look for entries higher on the list than your ADFS service name entries. If those don't have Ctl Store Name of AdfsTrustedDevices and they can resolve to your ADFS service, the install will fail."
The point for me is that sometimes I'm having problems with ADFS in terms of connectivity. The metadata address and the IDPInitiatedSignOn only work when you have a half-decent install. Ping is disabled by default. So I install IIS just so I can check connectivity
e.g. https://server.domain.
and you should get the IIS splash screen.
So this is something to be aware of.
On a 2012 R2 server with no IIS:
PS C:\> netsh http show sslcert
SSL Certificate bindings:
-------------------------
Hostname:port :server.domain:443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : localhost:443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : server.domain:49443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
On a 2016 server with IIS:
PS C:\> netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 51b70e988101c789769c9cd9487c29e88ea7225e
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
IP:port : 0.0.0.0:5986
Certificate Hash : bf7db9570b805aa6771be18154e60e4decb295db
Application ID : {afebb9ad-9b97-4a91-9ab5-daf4d59122f6}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Disabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : server.domain:443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : localhost:443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : server.domain:49443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
Reject Connections : Disabled
Note that I didn't have this problem on this installation. I suspect it's because "and they can resolve to your ADFS service." and the IP address 0.0.0.0 ain't going anywhere!
Enjoy!
2012R2 AD FS WAP proxy problem
This was to do with installing WAP with Active Directory Federation Service and getting:
"Unable to retrieve proxy configuration data from the Federation Server."
The interesting part is the piece at the end:
"Turns out certificate binding precedence is the culprit. While IIS is not required for 2012 R2 ADFS roles anymore, it can actually get in the way if it is on the same machine. Binding cert to default web site in IIS will place an ip:port entry into sslcert bindings, which has a higher precedence than service:port entries that ADFS sets up. Since the IIS entry has no Ctl Store Name, the WAP certificate is placed in a store that is filtered out when ADFS checks for its presence.
Type "netsh http show sslcert" in a terminal on your ADFS machines and look for entries higher on the list than your ADFS service name entries. If those don't have Ctl Store Name of AdfsTrustedDevices and they can resolve to your ADFS service, the install will fail."
The point for me is that sometimes I'm having problems with ADFS in terms of connectivity. The metadata address and the IDPInitiatedSignOn only work when you have a half-decent install. Ping is disabled by default. So I install IIS just so I can check connectivity
e.g. https://server.domain.
and you should get the IIS splash screen.
So this is something to be aware of.
On a 2012 R2 server with no IIS:
PS C:\> netsh http show sslcert
SSL Certificate bindings:
-------------------------
Hostname:port :server.domain:443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : localhost:443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : server.domain:49443
Certificate Hash : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
On a 2016 server with IIS:
PS C:\> netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 51b70e988101c789769c9cd9487c29e88ea7225e
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
IP:port : 0.0.0.0:5986
Certificate Hash : bf7db9570b805aa6771be18154e60e4decb295db
Application ID : {afebb9ad-9b97-4a91-9ab5-daf4d59122f6}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Disabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : server.domain:443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : localhost:443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Hostname:port : server.domain:49443
Certificate Hash : 26ea2faabc7764a9bea7f85db6e931b559eff126
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
Reject Connections : Disabled
Note that I didn't have this problem on this installation. I suspect it's because "and they can resolve to your ADFS service." and the IP address 0.0.0.0 ain't going anywhere!
Enjoy!
Monday, October 12, 2015
ADFS : SAML 2.0 token
This question came up during a discussion with a customer.
They wanted Active Directory Federation Services (AD FS) to deliver a SAML 2.0 token.
Recall that ADFS delivers a SAML 1.1 token for WS-Fed and a SAML 2.0 token for SAML-P 2.0.
The easiest way is simply to configure the connection to use SAML-P 2.0 (P BTW for protocol).
Simply provide ADFS with metadata for a SAML-P connection.
If you can't do that, you can convert the token by using Azure ACS or by using thinktecture's identityserver as an intermediate step. Both allow you to configure the outbound token type.
While on the subject, did you know that ADFS on Server 2012 R2 (ADFS 3) can deliver JWT tokens for WS-Fed?
Refer : JSON Web Token (JWT) support in ADFS.
Enjoy!
They wanted Active Directory Federation Services (AD FS) to deliver a SAML 2.0 token.
Recall that ADFS delivers a SAML 1.1 token for WS-Fed and a SAML 2.0 token for SAML-P 2.0.
The easiest way is simply to configure the connection to use SAML-P 2.0 (P BTW for protocol).
Simply provide ADFS with metadata for a SAML-P connection.
If you can't do that, you can convert the token by using Azure ACS or by using thinktecture's identityserver as an intermediate step. Both allow you to configure the outbound token type.
While on the subject, did you know that ADFS on Server 2012 R2 (ADFS 3) can deliver JWT tokens for WS-Fed?
Refer : JSON Web Token (JWT) support in ADFS.
Enjoy!
AAD : Integrating with a custom SAML application as a SP
Most of the applications you want to integrate with Azure Active Directory (AAD) can be found in the Gallery. At the time of writing there's about 2,500 of them but the number just keeps increasing.
The big guns are there e.g. Salesforce and Workday and good to see Xero (from NZ) is there.
But what if your SAML application is not there?
Then you have to do it manually.
I've used the MvcExampleServiceProvider from ComponentSpace as the SP. This is a really good SAML library and it comes with heaps of examples that you can use OOTB.
In the Azure Portal - Active Directory - Applications - Add (at the bottom).
Select "Add an Application from the Gallery"
Select "Custom".
Give your application a name and then the click the Tick image.
Click "Configure single sign-on".
Select "Microsoft Azure AD Single Sign-On". Next
The Issuer is the URL of your application.
The "Reply URL" is:
http://xxx/MvcExampleServiceProvider/SAML/AssertionConsumerService
where "xxx" is the URL of my test box where the application is deployed (essentially localhost).
Note that my application is called "ComponentSpace".
Now copy these values into the saml.config.
"Issuer URL" goes on the first line and the sign-on / sign-off go into the last two lines.
<add key="PartnerIdP" value="https://sts.windows.net/00...79/"/
/>
Now run the application.
You should see:
Click the SSO link.
That should take you off the the Azure AD login page where you then authenticate and then the list of claims should be displayed.
If you use the SAML Tracer plugin to Firefox, you can see the actual SAML packets.
Note that the AssertionConsumerServiceURL is what goes into the ReplyURL in the "Configure App Settings" above and the Issuer is what goes into the "Issuer URL" box.
Enjoy!
The big guns are there e.g. Salesforce and Workday and good to see Xero (from NZ) is there.
But what if your SAML application is not there?
Then you have to do it manually.
I've used the MvcExampleServiceProvider from ComponentSpace as the SP. This is a really good SAML library and it comes with heaps of examples that you can use OOTB.
In the Azure Portal - Active Directory - Applications - Add (at the bottom).
Select "Add an Application from the Gallery"
Select "Custom".
Give your application a name and then the click the Tick image.
Click "Configure single sign-on".
Select "Microsoft Azure AD Single Sign-On". Next
The Issuer is the URL of your application.
The "Reply URL" is:
http://xxx/MvcExampleServiceProvider/SAML/AssertionConsumerService
where "xxx" is the URL of my test box where the application is deployed (essentially localhost).
Note that my application is called "ComponentSpace".
Now copy these values into the saml.config.
"Issuer URL" goes on the first line and the sign-on / sign-off go into the last two lines.
My saml.config entry:
<!-- My Azure AD --> <PartnerIdentityProvider Name="https://sts.windows.net/00...79/" SignLogoutRequest="true" WantSAMLResponseSigned="false" WantAssertionSigned="true" WantLogoutResponseSigned="true" UseEmbeddedCertificate="true" ClockSkew="00:03:00" SingleSignOnServiceUrl="https://login.windows.net/0...2/saml2" SingleLogoutServiceUrl="https://login.windows.net/0...2/saml2"/>
Also remember the web.config change:
<add key="PartnerIdP" value="https://sts.windows.net/00...79/"/
/>
Now run the application.
You should see:
That should take you off the the Azure AD login page where you then authenticate and then the list of claims should be displayed.
If you use the SAML Tracer plugin to Firefox, you can see the actual SAML packets.
<samlp:AuthnRequest ID="_95ff361a-61cb-4bf9-a5e7-529239ebdbb9" Version="2.0" IssueInstant="2015-10-11T19:08:38.045Z" Destination="https://login.windows.net/00...79/saml2" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://xxx/MvcExampleServiceProvider/SAML/
AssertionConsumerService" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>http://localhost/MvcExampleServiceProvider</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
unspecified" AllowCreate="true" /> </samlp:AuthnRequest>
Note that the AssertionConsumerServiceURL is what goes into the ReplyURL in the "Configure App Settings" above and the Issuer is what goes into the "Issuer URL" box.
Enjoy!
Subscribe to:
Posts (Atom)