Friday, October 23, 2015

OpenNETCF : Getting OpenNETCF code from the Vault

The latest code is always available from the Vault (a VSS lookalike).

(NOTE: The code under the "Source" tab at www.opennetcf.org is NOT the latest).

For multiple files, install the Vault client application from here:

http://www.sourcegear.com/vault/downloads.html

or

For single files, direct from source control here:

http://vault.netcf.tv/VaultService/VaultWeb/login.aspx

login = guest
password = guest

Enjoy!

ADFS : Differences across versions

This is for Active Directory Federation Services / ADFS / "AD FS".



2008 R2 (ADFS v2.0)
2012 (ADFS v2.1)
2012 R2 (ADFS v3.0)
2016 vNext (ADFS v4.0?)





Runs on IIS
Y
Y
N
N





.NET
3.5
Microsoft.Identity
4.5
System.Identity
4.5
System.Identity
4.6?
System.Identity





Authenticate against
AD
AD
AD
AD
LDAP v3
SQL Server





WS-Federation
Y
SAML 1.1 token
Y
Y
Y





SAML 2.0
Y
SAML 2.0 token
Y
Y
Y





OpenID Connect support
N
N
N
Y
Plus OpenIDConnect Discovery





OAuth 2.0 support
N
JWT token
N
JWT token
Y
Authorisation Code Grant only
JWT token
Y
All profiles
JWT token





Device registration
N
N
Y
Y





Password change support
N
N
Y
Y





Application branding with per RP customisation
N
N
N
Y





Enable delegation for service admin.
N
N
N
Y





Act as a certificate authority
N
N
N
Y


 Enjoy!

Wednesday, October 21, 2015

ADFS : Customising ADFS functionality

This post is NOT about customising the look and feel - it's about customising what ADFS actually does.

ADFS 2.0 was built on IIS and was basically a web site so you had the opportunity to adapt the web pages and change some of the flow.

ADFS 3.0 does not use IIS - it's built on top of http.sys so there are no web pages to alter.

Essentially, it's locked down and there's no way in.

So if you need to alter the flow in some way, what can you do?

I've been involved in two projects recently where this was required.

For a WS-Federation project, I added thinktecture's identityserver into the pipeline. This can be both an IDP and a RP. Essentially, it was a proxy.

So RP <--> IdSrv2 <--> ADFS.

It's open source so you can alter the code. It wasn't used for local authentication but rather for pass-through.

You can capture the request on both the up and down stream tracks and alter as required.

For a SAML-P project, I added ComponentSpaces's SAML stack into the pipeline. This can be both an IDP and a SP. Essentially, it was a proxy. (Note this is commercial).

So SP <--> ComponentSpace <--> ADFS.

It's not open source but they provide both IDP and SP examples. You can pretty much merge the two examples together. It wasn't used for local authentication but rather for pass-through.

You can capture the request on both the up and down stream tracks and alter as required.

Enjoy!

Monday, October 19, 2015

ADFS : Metadata signing

ADFS and pretty much all half-decent IDP's use metadata to transfer stuff like endpoints, bindings, certificates etc.

Sometimes you need to change some part of the metadata e.g. ADFS won't accept any endpoints that aren't https.

So to be able to import the metadata, you have to edit it.

However, if the metadata is signed, it will throw an error.

This is because the signature is a hash value of the contents so obviously if you change the contents you change the hash value.

What to do?

Note: Below is at your own risk as there may be security implications.

Metadata stands on its own. There are no other files involved, links to web collateral etc. So it stands to reason that if the metadata is signed, the fact that it is signed must be recorded somewhere within the metadata.

And in fact it is.

It use the "ds:Signature", "ds:SignedInfo", "ds:SignatureValue" etc. constructs.

So to remove the signature protection, simply delete the entire "ds:Signature" construct, Now you can change anything you want. And by extension so can anybody else!

To repeat: Use at your own risk as there may be security implications.

Enjoy!


Friday, October 16, 2015

WIF : Wrappers around protocols

Put together this diagram:




So what does this show:

WIF = WS-Fed
OWIN = WS-Fed, OpenID Connect, OAuth

There is no official Microsoft support for SAML-P (P for protocol). There are open source libraries and commercial stacks - refer : SAML : SAML connectivity / toolkit.

Just to repeat - WIF and OWIN are not protocols - they are wrappers around protocols.

Enjoy!

Tuesday, October 13, 2015

ADFS : Beware IIS and ADFS

Just read this post:

2012R2 AD FS WAP proxy problem

This was to do with installing WAP with Active Directory Federation Service and getting:

"Unable to retrieve proxy configuration data from the Federation Server." 

The interesting part is the piece at the end:

"Turns out certificate binding precedence is the culprit.  While IIS is not required for 2012 R2 ADFS roles anymore, it can actually get in the way if it is on the same machine.  Binding cert to default web site in IIS will place an ip:port entry into sslcert bindings, which has a higher precedence than service:port entries that ADFS sets up.  Since the IIS entry has no Ctl Store Name, the WAP certificate is placed in a store that is filtered out when ADFS checks for its presence.

Type "netsh http show sslcert" in a terminal on your ADFS machines and look for entries higher on the list than your ADFS service name entries.  If those don't have Ctl Store Name of AdfsTrustedDevices and they can resolve to your ADFS service, the install will fail."

The point for me is that sometimes I'm having problems with ADFS in terms of connectivity. The metadata address and the IDPInitiatedSignOn only work when you have a half-decent install. Ping is disabled by default. So I install IIS just so I can check connectivity

e.g. https://server.domain.

and you should get the IIS splash screen.

So this is something to be aware of.

On a 2012 R2 server with no IIS:

PS C:\> netsh http show sslcert

SSL Certificate bindings:
-------------------------

    Hostname:port                :server.domain:443
    Certificate Hash             : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    Hostname:port                : localhost:443
    Certificate Hash             : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    Hostname:port                : server.domain:49443
    Certificate Hash             : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Enabled  

On a 2016 server with IIS:

PS C:\> netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : 51b70e988101c789769c9cd9487c29e88ea7225e
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    IP:port                      : 0.0.0.0:5986
    Certificate Hash             : bf7db9570b805aa6771be18154e60e4decb295db
    Application ID               : {afebb9ad-9b97-4a91-9ab5-daf4d59122f6}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Disabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Disabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    Hostname:port                : server.domain:443
    Certificate Hash             : 26ea2faabc7764a9bea7f85db6e931b559eff126
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    Hostname:port                : localhost:443
    Certificate Hash             : 26ea2faabc7764a9bea7f85db6e931b559eff126
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    Hostname:port                : server.domain:49443
    Certificate Hash             : 26ea2faabc7764a9bea7f85db6e931b559eff126
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Enabled
    Reject Connections           : Disabled

Note that I didn't have this problem on this installation. I suspect it's because "and they can resolve to your ADFS service." and the IP address 0.0.0.0 ain't going anywhere!

 Enjoy!

Monday, October 12, 2015

ADFS : SAML 2.0 token

This question came up during a discussion with a customer.

They wanted Active Directory Federation Services (AD FS) to deliver a SAML 2.0 token.

Recall that ADFS delivers a SAML 1.1 token for WS-Fed and a SAML 2.0 token for SAML-P 2.0.

The easiest way is simply to configure the connection to use SAML-P 2.0 (P BTW for protocol).

Simply provide ADFS with metadata for a SAML-P connection.

If you can't do that, you can convert the token by using Azure ACS or by using thinktecture's identityserver as an intermediate step. Both allow you to configure the outbound token type.

While on the subject, did you know that ADFS on Server 2012 R2 (ADFS 3) can deliver JWT tokens for WS-Fed?

Refer : JSON Web Token (JWT) support in ADFS.

Enjoy!

AAD : Integrating with a custom SAML application as a SP

Most of the applications you want to integrate with Azure Active Directory (AAD) can be found in the Gallery. At the time of writing there's about 2,500 of them but the number just keeps increasing.

The big guns are there e.g. Salesforce and Workday and good to see Xero (from NZ) is there.

But what if your SAML application is not there?

Then you have to do it manually.

I've used the MvcExampleServiceProvider from ComponentSpace as the SP. This is a really good SAML library and it comes with heaps of examples that you can use OOTB.

In the Azure Portal - Active Directory - Applications - Add (at the bottom).

Select "Add an Application from the Gallery"


Select "Custom".

Give your application a name and then the click the Tick image.

Click "Configure single sign-on".

Select "Microsoft Azure AD Single Sign-On". Next


The Issuer is the URL of your application.

The "Reply URL" is:

http://xxx/MvcExampleServiceProvider/SAML/AssertionConsumerService

where "xxx" is the URL of my test box where the application is deployed (essentially localhost).


Note that my application is called "ComponentSpace".

Now copy these values into the saml.config.

"Issuer URL" goes on the first line and the sign-on / sign-off go into the last two lines.

My saml.config entry: 

&lt;!-- My Azure AD -->
  &lt;PartnerIdentityProvider Name="https://sts.windows.net/00...79/"
            SignLogoutRequest="true"
            WantSAMLResponseSigned="false"
            WantAssertionSigned="true"
            WantLogoutResponseSigned="true"
            UseEmbeddedCertificate="true"
            ClockSkew="00:03:00"
            SingleSignOnServiceUrl="https://login.windows.net/0...2/saml2"
            SingleLogoutServiceUrl="https://login.windows.net/0...2/saml2"/>  
 
Also remember the web.config change:

&lt;add key="PartnerIdP" value="https://sts.windows.net/00...79/"/
/>


Now run the application.

You should see:
Click the SSO link.

That should take you off the the Azure AD login page where you then authenticate and then the list of claims should be displayed.



If you use the SAML Tracer plugin to Firefox, you can see the actual SAML packets.

&lt;samlp:AuthnRequest ID="_95ff361a-61cb-4bf9-a5e7-529239ebdbb9"
  Version="2.0"
  IssueInstant="2015-10-11T19:08:38.045Z"
  Destination="https://login.windows.net/00...79/saml2"
  ForceAuthn="false"
  IsPassive="false"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="http://xxx/MvcExampleServiceProvider/SAML/
            AssertionConsumerService"
            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
            >
  &lt;saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
  >http://localhost/MvcExampleServiceProvider&lt;/saml:Issuer>
  &lt;samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
            unspecified"
            AllowCreate="true"
            />
&lt;/samlp:AuthnRequest>

Note that the AssertionConsumerServiceURL is what goes into the ReplyURL in the "Configure App Settings" above and the Issuer is what goes into the "Issuer URL" box.

Enjoy!