ADFS : Token signing key cer file

Doing some node.js stuff with ADFS and I needed the token signing key as a cer file.

With automatic rollover, the certificate is not in the normal certificate store (the one you get at via mmc). Inside the ADFS wizard, you can't right click / export.

I'd just written a forum answer about getting the token signing certificate private key (which is not possible with automatic rollover) which "confused" me and I couldn't figure out how to get the .cer file.

@siacomuzzi advised:

• Double click the certificate / details / copy to file
• Use the X509 certificate part of the metadata

Sometimes you just can't see the wood for the trees!

Enjoy!

ADFS : Cookie size with Apple devices

Interesting thread over on the ADFS forum.

This relates to Apple only accepting cookies up to 4096 bytes.

The suggestions from Microsoft were:

• Ask Apple to fix Safari
• Don't sign the SAML request
• Try and reduce the number of claims e.g. sending specific groups; not all of them
• Use SAML artifact resolution

In artifact resolution, the token just contains an artifact which is a key to the actual claim. You then send the artifact back via a SOAP back channel and get the set of claims.

Or you could use a variation of this which is to send a limited set of claims; enough for most purposes. For the times when you need the extra claims, you could e.g. use the Microsoft Graph API in Azure to get the others.

Yes - that basically defeats the whole purpose of claims but sometimes it's a case of any port in a storm!

Enjoy!

Node : Federating with ADFS via WS-Fed

First read Node : Setting up the SSL certificates for Express.

The standard authentication mechanism for Node.js is passport.

Searching in the site for "WS-Fed" shows no hits.

Searching for "SAML" shows three:

• passport-saml 
• passport-wsfed-saml2 
• express-saml 

The only one that supports WS-Fed is the second one. This is developed by Auth0 who work a lot in this space.

There is also this one : AzureAD/passport-azure-ad.

This supports WS-Fed, SAML and OpenIDConnect / OAuth 2.0. It's developed by Microsoft. Unfortunately, it was developed on Express 3 whereas the latest download is Express 4. A lot has changed and this release does not currently work on Express 4.

So we'll go with the second one

A Gist of the code is here.

On the ADFS side, we need a RP. There's no metadata so do it manually.

The identifier "urn:node:wsfedapp" matches the realm in the code.

The thumbprint in the code is the thumbprint of the ADFS signing certificate.

Set "identityProviderUrl" to your ADFS URL.

Set the callback URL:

https://localhost:3000/login/callback 

Normal claims rules:

Run up the code in the command prompt and then you'll see:

C:\...>node ws-fed-auth0
Server started at port 3000

Browse to:

https://localhost:3000/

and you'll see:

hello world 

Browse to:

https://localhost:3000/secure

and you'll be redirected to ADFS, authenticate and then you'll see:

you have access to secured resources

If you look in the command prompt, you'll see the Profile displayed:

 C:...\Node.js>node ws-fed-auth0
Server started at port 3000
{ sessionIndex: undefined,
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'Joe',
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'Bloggs',
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'joeb@abc.com',
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Joe Bloggs',
  issuer: 'http://my-adfs/adfs/services/trust',
  email: 'joeb@abc.com' }
In Serializer
In DeSerializer

Enjoy!

Node : Setting up the SSL certificates for Express

I'm having a look at node.js wrt. connecting up to ADFS.

This uses the passport plugin.

I've done a subsequent post on ADFS (see link below) but first refer:

Authenticating a NodeJS application using Thinktecture Identity Server v2entity-server-v2-to-authenticate-your-node-application/

I got a lot of the code from here (there's a Gist at the end).

How to Use SSL/TLS with Node.js

Good reference - ADFS will only work with RP that support SSL.

I have a Windows 8 box so I need a version of OpenSSL that runs on Windows. After a bit of googling, I decided to use Shining Light OpenSSL. (and if you get some value out of it, consider donating).

Setup up the environment variable:

set OPENSSL_CONF=C:\Program Files (x86)\OpenSSL-Win32\bin\openssl.cfg

(or wherever you installed it).

As per the second article:

openssl genrsa -des3 -out server.enc.key 1024

openssl req -new -key server.enc.key -out server.csr

openssl rsa -in server.enc.key -out server.key

openssl x509 -req -days xxx -in server.csr -signkey server.key -out server.crt

where xxx = number of days you want the certificate to be valid.

You should now have server.key and server.crt in the directory. We will use these in the next article - refer Node : Federating with ADFS via WS-Fed.

Footnote

These are private keys. The first is protected with a  pass phrase.

• server.enc.key
• server.key

To view use:

C:\...>openssl rsa -check -in server.enc.key
Enter pass phrase for server.enc.key:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICX...

or

C:\...>openssl rsa -check -in server.key
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICX...

This is a Certificate Signing Request (csr)

server.csr

To view use:

C:...>openssl req -text -noout -verify -in server.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=nz, ST=Some-State, L=Akl, O=Private, OU=Identity, CN=joeb/emailAddress=joeb@abc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cd:89:6d:...

This is a self-signed certificate.

server.crt

To view use:

C:...>openssl x509 -text -noout -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            d8:d4:83:49:af:60:f1:3b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=nz, ST=Some-State, L=Akl, O=Private, OU=Identity, CN=joeb/emailAddress=joeb@abc.com
        Validity
            Not Before: Feb 16 01:12:17 2016 GMT
            Not After : Oct  8 01:12:17 2017 GMT
        Subject: C=nz, ST=Some-State, L=Akl, O=Private, OU=Identity, CN=joeb/emailAddress=joeb@abc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cd:89:6d:...

In Windows terms, copy server.crt to server.cer.

Double-click on server.cer and you'll get the familiar certificate pop up.

Good overview here: OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs


Enjoy!

Identity : The Microsoft landscape

I get asked a lot about this.

• What is the stack?
• What are the pieces?
• How do they fit together?

There doesn’t seem to be a short, compact overview about this.

So in the spirit of the Github admin who when I ask “Is this feature available and if not when”? replies “Send me a PR”, here goes:

A very short summary – you could write a book on each :-)

In no particular order:

AD DC

Active Directory Domain Controller

The heart of Microsoft on-premises Identity.

It stores users, groups, group policy, printers etc.

Authentication is via Kerberos or NTLM.

In the same domain, IWA can be used if the browser is configured correctly.

AD LDS

Active Directory Lightweight Directory Server - aka ADAM.

Provides ability to store application specific attributes.

Can have many instances on a server, each with a different schema.

Not domain centric.

With ADFS 4.0 (Server 2016) can be used for authentication - ADFS : Authenticating with LDAP.

ADFS

Active Directory Federation Services.

On-premises.

Sits on top of AD. 

Provides WS-Fed / SAML 2.0 / OAuth2 (Server 2016) federation functionality.

Authentication is via WS-Fed or SAML 2 or OAuth.

Has claims rules to manipulate the claims. 

ADFS 4.0 (Server 2016) will support OpenID Connect and OAuth 2.0.

ADFS 4.0 (Server 2016) will authenticate against v3 LDAP or SQL Server.

Has DRS capability to allow devices to be “domain joined”.

Supports IWA.

Can federate with other IDP e.g. OpenAM, Ping Federate, shibboleth, simpleSAMLphp etc.

ADFS 2.0 was a separate download. From then on is a server role and part of the base server.

WAP

Web Application Proxy.

On-premises.

A proxy for ADFS.

Allows ADFS to sit behind a firewall.

Functionality is being added to make it closer to what TMG provided.

Azure AD

Azure Active Directory.

NOT AD in the cloud.

You can think of it as combining AD and ADFS functionality.

Graph based (not LDAP). Supports users and groups only.

Windows 10 devices can be added via “AD Join”.

Has three levels viz. Free / Basic / Premium. Comparison here  – Azure Active Directory editions

Claims collection is hard-coded.

Has outbound SCIM support.

Azure AD Connect

Utility to sync. configured AD attributes from AD to Azure AD. 

This provides Same Sign On. Adding ADFS provides Single Sign On.

Was previously called DirSync.

Azure AD Application Proxy

WAP in the cloud.

Azure AD Domain Services

AD DC in the cloud.

Authentication is via Kerberos or NTLM.

Azure B2C

Business to Consumer.

Allows external user management - registration, SSPR, social logins

Azure B2B

Business to Business

Automated way to provision users so they can authenticate across tenants.

B2B vs. B2C - Comparing capabilities for managing external identities using Azure Active Directory.

Azure Access Panel

Allows end-users to launch their apps and access the self-service features that allow them to manage their apps and group memberships.  

ACS

Access Control Service

The "old" way to connect to social logins - superseded by B2C.

Azure MFA

Multi Factor Authentication.

Easily integrated with Azure applications or on-premises via agent in conjunction with ADFS.

Azure AD Connect Health

Helps monitor and gain insight into on-premises identity infrastructure and the synchronization services.

Monitoring capabilities for key identity components e.g. ADFS, Azure AD Connect, AD DC etc.

Makes the key data points about these components easily accessible, making it easy to get usage and other important insights.

Azure AD Identity Protection 

Helps prevent the use of compromised accounts using industry leading machine learning (ML) based real time detection and automated mitigation.

Helps protect all of the cloud and on-premises applications customers use with Azure AD.

Can auto-remediate by intercepting the request with an adaptive MFA challenge such as an SMS, phone call, push notification or a request for OATH token.

Azure AD PIM

Privileged Identity Management.

Discovery and control of who has administration rights where and when.

Microsoft Advanced Threat Analytics

Detects suspicious user and entry activity, known malicious attacks and security issues.

Cloud App Discovery

Helps IT departments learn which SaaS apps are being used throughout the organization.

Can measure app usage and popularity so that IT can determine which apps will benefit the most from being brought under IT control and being integrated with Azure AD.

Azure SaaS Market Place 

Aka Gallery - Active Directory Marketplace.

Instantly configure popular SaaS cloud applications on Azure AD for SSO and easier user account management.

Wrappers

WIF / OWIN / ADAL : Identity Libraries: Status

Also WIF : Wrappers around protocols  

And OWIN : Differences with WIF

WIF

Windows Identity Foundation.

Provides WS-Fed client protocol support for .NET applications.

Can be passive (browser) or active (WCF).

Older technology.

Capability provided by web.config configuration.

WIF 1.0 (3.5) is a separate download. WIF 4.5 is part of the framework.

OWIN

Open Web Interface for .NET.

Replaces WIF.

Provides WS-Fed / SAML 2.0  / OpenID Connect / OAuth 2.0 client protocol support for .NET applications.

NuGet packages here:

• Microsoft.Owin.Security.WsFederation  
• Microsoft.Owin.Security.OpenIdConnect 
• Kentor.AuthServices.Owin

Capability provided by code.

Can be used for web applications or web API.

.NET Core 1.0 support for OpenID Connect / OAuth 2.0.

Aimed at Azure AD / ADFS with hybrid mode – not a general purpose stack.

ADAL

Active Directory Authentication Library.

OpenID Connect / OAuth 2.0 client protocol support for native devices.

API so underlying protocol could be changed at some future point.

Libraries for JavaScript, Java, PHP etc.

Capability provided by code.

Aimed at Azure AD / ADFS with hybrid mode – not a general purpose stack.

MSAL

Microsoft  Authentication Library - V2 API.

Unified library that helps to develop applications that work with Microsoft Accounts, Azure AD accounts and Azure AD B2C users indifferently – all in a single, streamlined programming model.

Targets the "converged model" i.e. Microsoft Accounts and "Work or School" Accounts combined.

"Successor" to ADAL with the important proviso that it will not work with ADFS and the original Azure AD V1 API.

Microsoft Graph

Was Office 365 Unified API / Graph API.

Exposes multiple APIs from Microsoft cloud services through a single REST API endpoint (https://graph.microsoft.com).

MIM

Microsoft Identity Manager.

Used to be FIM.

Synchronizes identities between directories, databases and applications.

Self-service password, group and certificate management.

Enjoy!

AAD : Some protocol conversion

If you've ever looked at Auth0, you'll know that it's basically a circle that handles all the protocols and conversions and all applications and IDP's have one connection to the circle. Anyone can connect to anything.

You can come in with OpenID Connect and a JWT token and exit with SAMLp and a SAML token.

The same kind of thing happens with Azure AD where you have a federated tenant using ADFS for the authentication.

The user accesses a .NET application that uses the OWIN OpenID Connect stack to connect to AAD.

Something like:

GET https://login.microsoftonline.com/866...c0/oauth2/authorize

?client_id=98e...a73b006

&redirect_uri=https%3a%2f%2myapp.com%2f

&response_mode=form_post

&response_type=code+id_token

&scope=openid+profile

&state=OpenIdConnect.AuthenticationProperties%3dx...XbjvpmEy

&domain_hint=company.com

If you are wondering about the "domain_hint" see here: Using Azure AD to land users on their custom login page from within your app

AAD sees that this is a federated tenant and hands off to ADFS. The default for the Microsoft stack is WS-Fed.

Something like:

GET https://my-adfs/adfs/ls/?username=&wa=wsignin1.0&wtrealm=urn%3acompany

&wctx=abc...C7_3-B_AU1 

So AAD has done a protocol conversion from OpenID Connect / OAuth (oauth2/authorize) to  WS-Fed (wa=wsignin1.0).

Enjoy!