The write-up is here:
Tutorial: Windows Azure AD integration with Salesforce
but I couldn't get it working.
Luckily, I have some SAML experience so figured out the problem.
I posted before about how important it is to get the NameID stuff right and this was indeed the problem.
When you create the user in Salesforce, you have to make sure that the Salesforce username is exactly the same as the login name you use for your AAD tenant.
And you have to use a valid email name.
The email name and username do not have to match.
So assume I log into my AAD tenant as:
jbloggs@tenant.onmicrosoft.com
My email address is jbloggs@gmail.com.
So I create the Salesforce user with:
email = jbloggs@gmail.com
username = jbloggs@tenant.onmicrosoft.com
Check your email - you will get a "Change Password" email from Salesforce.
Change your password.
Login to AAD - navigate to the Access Panel - click Salesforce.
What will happen is that AAD will take your logged in name, put it in a NameID SAML assertion called username and pass it to Salesforce.
Salesforce will check that there is a registered user with that username.
There is so A-OK - you are logged in.
I did not have to synchronise any accounts to achieve this.
Enjoy!
Wednesday, August 28, 2013
Monday, August 12, 2013
ASP.NET : Inline validation controls no longer red
So I had a project that I was busy migrating from .NET 3.5 to .NET 4.5.
Now I use the asp:RequiredFieldValidator controls and suddenly I noticed that the error messages were no longer in red.
I then compared the projects - no obvious .ccs changes or anything like that.
Then I compared the web.config files and noticed that:
pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false"
had changed to:
pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" validateRequest="false"
This must have happened during the wizard that migrates the project.
Have a look at:
What's New in ASP.NET 4 and Visual Web Developer
where it mentions that validators no longer render inline color:Red styles.
Changing it back to "3.5" sorted it out.
Isn't red the international error colour anyway?
Enjoy!
Now I use the asp:RequiredFieldValidator controls and suddenly I noticed that the error messages were no longer in red.
I then compared the projects - no obvious .ccs changes or anything like that.
Then I compared the web.config files and noticed that:
pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false"
had changed to:
pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" validateRequest="false"
This must have happened during the wizard that migrates the project.
Have a look at:
What's New in ASP.NET 4 and Visual Web Developer
where it mentions that validators no longer render inline color:Red styles.
Changing it back to "3.5" sorted it out.
Isn't red the international error colour anyway?
Enjoy!
Friday, August 09, 2013
WCF : The request for security token could not be satisfied because authentication failed
In full:
System.ServiceModel.Security.SecurityNegotiationException The caller was not authenticated by the service. System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
I see this when the WS call is cross domain on wsHttpBinding.
Quick and dirty is to remove the security (or move to basicHttpBinding).
Not recommended on a Production system but to get over the hump …
On the client side change:
<wsHttpBinding>
<binding name="WSHttpBinding_IService" >
<security mode="None" />
</binding>
</wsHttpBinding>
On the WS side change:
<system.serviceModel>
<services>
<service name=xxx">
<endpoint address="" binding="wsHttpBinding" contract="WcfServiceLibrary.IService" bindingConfiguration="NoSecurityConfig">
<identity>
<dns value="yyy" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="NoSecurityConfig">
<security mode="None" />
</binding>
</wsHttpBinding>
</bindings>
Essentially, the changes are to add the “security mode = None” and to add the new bindingConfiguration ="NoSecurityConfig" and then specify the binding for it.
Enjoy!
Monday, July 29, 2013
Visual Studio : Could not write lines to file xxx Access to the path yyy is denied
Using Visual Studio 2012, checked a project into TFS and got the above error.
WTF?
Mr. Google to the rescue and the majority view was either:
All good!
Enjoy!
WTF?
Mr. Google to the rescue and the majority view was either:
- Make the file readable i.e. no readonly
- Delete the /bin and /obj directories and rebuild
All good!
Enjoy!
Wednesday, July 03, 2013
AD : Locked accounts in Active Directory (AD)
This is truly a curved ball.
Once upon a time, there was an attribute in AD called:
userAccountControl - ADS_UF_LOCKOUT = 16 (d) 10 (h)
However, in later versions of Windows Server (e.g. 2008), this was moved to:
msDS-User-Account-Control-Computed - UF_LOCKOUT = 16 (d) 10 (h).
BUT there was a slight problem. As the name implies this is a computed attribute i.e. it doesn't actually exist. Rather it is computed on the fly. The implication is that it can't be used in a standard search query.
Hence the curved ball.
Some blogs suggest you can use:
filter = "(&(objectClass=user)(lockoutTime>=0))"
This works in the sense that it refines a potentially huge list to a much smaller one.
However, it is not sufficient. When a user is locked out and then unlocked, this attribute can be set to zero (as opposed to the previous time that was stored).
Easy enough, change the filter to:
filter = "(&(objectClass=user)(lockoutTime>0))"
Dream on - that's not a valid filter query language construct.
So this first list has to be iterated through again to check that the user is actually locked.
Lots of code out there to do this e.g.
To unlock - refer Everything in Active Directory via C#.Net 3.5 (Using System.DirectoryServices.AccountManagement).
Note: You cannot lock an account either programmatically or through ADUC.
The system will lock the account based on the user's password policy e.g. user will be locked out after x invalid attempts. The policy may state that the user many never be locked out.
Enjoy!
Once upon a time, there was an attribute in AD called:
userAccountControl - ADS_UF_LOCKOUT = 16 (d) 10 (h)
However, in later versions of Windows Server (e.g. 2008), this was moved to:
msDS-User-Account-Control-Computed - UF_LOCKOUT = 16 (d) 10 (h).
BUT there was a slight problem. As the name implies this is a computed attribute i.e. it doesn't actually exist. Rather it is computed on the fly. The implication is that it can't be used in a standard search query.
Hence the curved ball.
Some blogs suggest you can use:
filter = "(&(objectClass=user)(lockoutTime>=0))"
This works in the sense that it refines a potentially huge list to a much smaller one.
However, it is not sufficient. When a user is locked out and then unlocked, this attribute can be set to zero (as opposed to the previous time that was stored).
Easy enough, change the filter to:
filter = "(&(objectClass=user)(lockoutTime>0))"
Dream on - that's not a valid filter query language construct.
So this first list has to be iterated through again to check that the user is actually locked.
Lots of code out there to do this e.g.
or if you want to get fancy - refer c# LDAP check user is locked or notUserPrincipal oUserPrincipal = GetUser(sUserName);userPrincipal.IsAccountLockedOut();
string attribName = "msDS-User-Account-Control-Computed";user.RefreshCache(new string[] { attribName });const int UF_LOCKOUT = 0x0010;int userFlags = (int)user.Properties[attribName].Value;if ( (userFlags & UF_LOCKOUT) == UF_LOCKOUT){// if this is the case, the account is locked outreturn true;}return false;
To unlock - refer Everything in Active Directory via C#.Net 3.5 (Using System.DirectoryServices.AccountManagement).
UserPrincipal oUserPrincipal = GetUser(sUserName);
oUserPrincipal.UnlockAccount();
oUserPrincipal.Save();
To unlock via ADUC, click the Account tab on the user's Properties and then check the "Unlock Account" check box. Note: You cannot lock an account either programmatically or through ADUC.
The system will lock the account based on the user's password policy e.g. user will be locked out after x invalid attempts. The policy may state that the user many never be locked out.
Enjoy!
Tuesday, July 02, 2013
ASP : WTF happened to my asp:Menu in .NET Framework 4.5?
Going through the upgrade exercise I mentioned in my previous post.
All good but my menu is now poked - all bunched up to the left. Still works but looks really munged!
Mr. Google to the rescue!
Menu.RenderingMode Property
The reason is that:
"The value of the RenderingMode property determines how the menu control renders markup for the Menu control.
In ASP.NET 3.5 and earlier versions, the Menu control uses HTML table elements and inline styles to specify the appearance of the menu in a browser. In ASP.NET 4 and later versions, by default the Menu control uses HTML listitem elements and cascading style sheet (CSS) styles."
Enjoy!
All good but my menu is now poked - all bunched up to the left. Still works but looks really munged!
Mr. Google to the rescue!
Menu.RenderingMode Property
The reason is that:
"The value of the RenderingMode property determines how the menu control renders markup for the Menu control.
In ASP.NET 3.5 and earlier versions, the Menu control uses HTML table elements and inline styles to specify the appearance of the menu in a browser. In ASP.NET 4 and later versions, by default the Menu control uses HTML listitem elements and cascading style sheet (CSS) styles."
Enjoy!
WIF : Migrate from WIF 3.5 to WIF 4.5 and VS 2010 to VS 2012
Been going through this exercise lately and thought I would document for others.
Some references:
http://msdn.microsoft.com/en-us/library/jj157091.aspx
http://msdn.microsoft.com/en-us/library/jj157089.aspx
http://msdn.microsoft.com/en-us/library/hh873305.aspx
http://msdn.microsoft.com/en-us/library/hh987037.aspx
Copy project to another directory, make all files R/W and then open with VS 2012. Check migration report.
Remove source control references if applicable.
Under Properties / Application / Target Framework, change to 4.5.
Remove Microsoft.IdentityModel from References
Add System.IdentityModel and System.IdentityModel.Services to references.
Change “using Microsoft.IdentityModel.Claims” to “using System.Security.Claims”
Change IClaimsPrincipal to ClaimsPrincipal
Change IClaimsIdentity to ClaimsIdentity
Change claim.ClaimType to claim.Type. Similarly for ClaimValue etc.
'FederatedPassiveSignInStatus' control has been removed. Remove all references. This includes the
<%@ Register assembly="Microsoft.IdentityModel"
namespace="Microsoft.IdentityModel.Web.Controls" tagprefix="wif" %>
in the aspx pages.
Add STS / FedUtil functionality has been removed. You need to download the “Identity and Access Tool” (available via NuGet).
Running the tool makes “different” changes to the web.config e.g. adds sections for system.identityModel.and a ida:FederationMetadataLocation section.
Comment out all the microsoft.identityModel sections in the web.config.
Update:
<modules runAllManagedModulesForAllRequests="true">
<!-- <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />-->
<!-- <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />-->
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</modules>
Enjoy!
Wednesday, June 26, 2013
SAML : SAML connectivity / toolkit
This is an update to try and categorise this in terms of SAML stacks.
Note that this concerns the SAML protocol not to be confused with SAML tokens or SAML products.
The links in the original article are still valid.
SAML is complicated. Getting the security right is difficult. My advice is not to roll your own.
Note: I personally haven't tried all of these. This is just a list that may be of use.
C#
The WIF Extension for SAML 2.0 is now deprecated and the links have been removed. It is only applicable for .NET 3.5 and is buggy.
There is NO official Microsoft C# client-side SAML protocol stack.
OneLogin's Open-Source SAML Toolkits and Github.
(Libraries for .NET, Python, Ruby, PHP, Java, node and others).
The Kentor stack is now deprecated.
Use Sustainsys - for .Net Core 2 use this version.
Owin.Security.Saml
Using Fedlets in .NET Applications
OIOSAML
SAML2
Safewhere SAML 2 for WIF
Owin.Security.Saml
Java
OpenSAML
Good book on this - Guide to OpenSAML V3.0 and an earlier version Guide to OpenSAML v2.0
Using Fedlets in Java Web Applications
OneLogin's Open-Source SAML Toolkits
Spring security SAML
OIOSAML
auth10-java
MITREid Connect
PHP
simpleSAMLphp
LightSAML
OneLogin as above.
Ruby
OneLogin as above.
Python
OneLogin as above.
Commercial
Componentspace
Ultimate .NET SAML
Rock Solid Knowledge
This is for .NET Core 2 and is a plugin for Indentityserver 4.
Identity aaS (as a service)
Auth0 - They do some really neat stuff. Lots of documentation e.g. SAML configuration. See the article at the end of this post
Other
nugetmusthaves for SAML
SAML articles in this blog
Disclaimer
I do not work for any of the above commercial companies.
------------------------------------------------------------------------------------------
There are two previous posts concerning SAML and libraries:
SAML : A SAML stack
WIF : Is there a Java Equivalent?
which are very much focused around the Microsoft / ADFS / WIF scenario.
But there’s tons of stuff out there concerning this so this is just a collection of links – for me as much as for everyone else!
OpenSAML - C++ / Java – open source
Performing a SAML Post with C#
Single Signon with SAML
SAML Single Sign-On (SSO) Component Suite for .NET – commercial
.NET SAML Component - Single Sign-On for C#, VB.NET & ASP.NET – commercial
onelogin SAML Toolkit – C#, ASP.NET, Java, PHP, Python, Ruby
Libraries and toolkits to develop SAML actors and SAML-enabled services
Working with SAML Assertions
Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview!
Collection of Useful SAML Tools
authNauthZ - A Swiss army knife for Graph API / SAML / OAuth
SAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices
Auth0 - This is essentially Identity aaS. They do some really neat stuff. Lots of documentation e.g. SAML configuration.
(I wrote up an example here using Auth0 -SAML : ASP.NET MVC application talking to SAML IDP.
The service is free until you go into Production and it's not locked down in any way - you have access to all the features).
Enjoy!
Note that this concerns the SAML protocol not to be confused with SAML tokens or SAML products.
The links in the original article are still valid.
SAML is complicated. Getting the security right is difficult. My advice is not to roll your own.
Note: I personally haven't tried all of these. This is just a list that may be of use.
C#
The WIF Extension for SAML 2.0 is now deprecated and the links have been removed. It is only applicable for .NET 3.5 and is buggy.
There is NO official Microsoft C# client-side SAML protocol stack.
OneLogin's Open-Source SAML Toolkits and Github.
(Libraries for .NET, Python, Ruby, PHP, Java, node and others).
The Kentor stack is now deprecated.
Use Sustainsys - for .Net Core 2 use this version.
Owin.Security.Saml
Using Fedlets in .NET Applications
OIOSAML
SAML2
Safewhere SAML 2 for WIF
Owin.Security.Saml
Java
OpenSAML
Good book on this - Guide to OpenSAML V3.0 and an earlier version Guide to OpenSAML v2.0
Using Fedlets in Java Web Applications
OneLogin's Open-Source SAML Toolkits
Spring security SAML
OIOSAML
auth10-java
MITREid Connect
PHP
simpleSAMLphp
LightSAML
OneLogin as above.
Ruby
OneLogin as above.
Python
OneLogin as above.
Commercial
Componentspace
Ultimate .NET SAML
Rock Solid Knowledge
This is for .NET Core 2 and is a plugin for Indentityserver 4.
Identity aaS (as a service)
Auth0 - They do some really neat stuff. Lots of documentation e.g. SAML configuration. See the article at the end of this post
Other
nugetmusthaves for SAML
SAML articles in this blog
Disclaimer
I do not work for any of the above commercial companies.
------------------------------------------------------------------------------------------
There are two previous posts concerning SAML and libraries:
SAML : A SAML stack
WIF : Is there a Java Equivalent?
which are very much focused around the Microsoft / ADFS / WIF scenario.
But there’s tons of stuff out there concerning this so this is just a collection of links – for me as much as for everyone else!
OpenSAML - C++ / Java – open source
Performing a SAML Post with C#
Single Signon with SAML
SAML Single Sign-On (SSO) Component Suite for .NET – commercial
.NET SAML Component - Single Sign-On for C#, VB.NET & ASP.NET – commercial
onelogin SAML Toolkit – C#, ASP.NET, Java, PHP, Python, Ruby
Libraries and toolkits to develop SAML actors and SAML-enabled services
Working with SAML Assertions
Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview!
Collection of Useful SAML Tools
authNauthZ - A Swiss army knife for Graph API / SAML / OAuth
SAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices
Auth0 - This is essentially Identity aaS. They do some really neat stuff. Lots of documentation e.g. SAML configuration.
(I wrote up an example here using Auth0 -SAML : ASP.NET MVC application talking to SAML IDP.
The service is free until you go into Production and it's not locked down in any way - you have access to all the features).
Enjoy!
Tuesday, June 18, 2013
ADFS : “Problem” with “Token-Groups–Unqualified Names”
ADFS has this clever feature where if you select this mapping in the claims rules and map it to Roles, you will get a set of roles claims that contain all the groups for the authenticated user e.g.
http://schemas.microsoft.com/ws/2008/06/identity/claims/role Role1
That’s well and good when the groups are “flat” i.e. the groups are not memberOf other groups.
If they are, then this mapping will work it’s way up the hierarchy and display ALL the groups.
So if Joe is a memberOf Role1 and if Role1 is a memberOf Role2, then ADFS will construct:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role Role1
http://schemas.microsoft.com/ws/2008/06/identity/claims/role Role2
Now that’s fine if that’s what you want but if Joe has 20 roles and all these roles are at the bottom of a whole pile of other roles you end up with many, many claims and a complete mess!
So what to do if you only want the bottom layer i.e. the actual memberOf.
If you go have a look via ADUC, guess what? memberOf is not displayed as an attribute!
WTF!
To see it as an attribute in the attribute list, you need to click the “Filter” box (bottom right) in “Attribute Editor” and then select “Backlinks”.
OK – so what if we set up a claims rule mapping memberOf to Roles?
So we type memberOf into the LDAP attribute field (it is actually editable) and note that it displays as “Is-Member-Of-DL”.
Problem!
What we get back is the whole CN e.g.
CN=Role1,OU=Sales,OU=company,DC=com
when what we got before was just Role1.
Enter stage left Joji Oshima. He da man!
Refer: AD FS 2.0 Claims Rule Language Part 2.
and have a look at “Problem 1” which is exactly the scenario described above.
Problem solved!
Enjoy!
Friday, June 07, 2013
WIF : Is there a Java Equivalent?
Been asked this question a million times and now I have an answer of sorts.
If by WIF, you mean WS-Federation, then mosey on over to:
Apache CXF Fediz: An Open-Source Web Security Framework
This supports:
- WS-Federation 1.0/1.1/1.2
- SAML 1.1/2.0 Tokens
- Custom token support
- Publish WS-Federation Metadata document
- Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens
- Claims information provided by FederationPrincipal interface
There is no direct Java replacement library for WIF.
Update:
Came across auth10-java.
- This library speaks the WS-Federation protocol and SAML 1.1 and 2.0 tokens. It interops fine with Microsoft-related products like ADFS, Windows Azure Active Directory and Windows Identity Foundation.
Also OIOSAML.
Enjoy!
Tuesday, June 04, 2013
SAML : A SAML stack
I answer this question so many times, I’m writing it up as a blog entry.
You have an application – .NET, JAVA whatever.
You want this to be a SP and need to connect to an IDP – ADFS, OpenAM, simpleSAMLPHP …
Look at Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview! (.NET).
Warning: This has not been updated in a while.
Warning: This is based on WIF 3.5. It is not compatible with WIF 4.5.
Also the OpenSSO Fedlet – this has components for both .NET and Java.
Or the OpenAM equivalents:
Using Fedlets in Java Web Applications and
Using Fedlets in .NET Applications
Or the Spring Security - SAML Extension (Java).
Or OIOSAML. (.Net and Java).
Or auth10-java.
- This library speaks the WS-Federation protocol and SAML 1.1 and 2.0 tokens. It interops fine with Microsoft-related products like ADFS, Windows Azure Active Directory and Windows Identity Foundation.
- A SAML2 Service Provider for ASP.NET. Built to mimic the WSFederationAuthenticationModule in .NET 4.5, but using SAML2 instead. The module works with the claims model of .NET 4.5 and uses the present infrastructure for claims translation, session authentication cookies etc.
- NuGet package - A .NET implementation of the SAML 2.0 specification for SP integrations.
- "Install-Package SAML2" from the Package Manager Console
- SAML 2.0 for WIF is a new DLL component that extends the WIF with native support for the SAML 2.0 protocol. (.NET)
SAML-based products and services
Subscribe to:
Posts (Atom)