Friday, February 22, 2013

ADFS : Getting the domain name as a claim

 

There are a number of ways of doing this.

You can get the domain name via ADFS : Sending groups as claims.

Also there was a thread on the forum that I contributed to viz. Custom Claim Rules - How to write domain name into outgoing claim?.

As I said, you could map msDS-PrincipalName to http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname and then use some regex to split out the domain name.

But further down:

“You don't need to use any mapping/edit LDAP rules and stuff. The windowsaccountname claim is there by default after installing adfs.

Just check it for yourself:

-Open the ADFS 2 console

-Open Trust Relationships

-Open Claims Provider Trusts

-Right mouse click on the AD trust and click "Edit claim rules"

-Note the first rule: Pass through all Windows account name claims.

You can just use the "Pass through or filter an incoming claim option" in the relying party claims configuration and select the windows account name or use a custom transform rule to transform it to the desired outgoing claim.”

Very neat!

Enjoy!

Posted by at No comments:
Labels:

Tuesday, February 05, 2013

ADFS : New RP / SP metadata for expired certificate

 

Common pattern – you set up a link with a WS-Fed RP or a SAML SP and for whatever reason they use a certificate and it’s expired.

That site has a load of claims rules and it’s a real pain to delete the site, re-import the metadata, type in all the claims rules again etc.

But wait – help is at hand.

Instead of sending you all the metadata, just ask them to send you the certificate as a .cer text file. That’s the format that look like:

-----BEGIN CERTIFICATE-----

<snip>

-----END CERTIFICATE-----

In ADFS, double-click on the RP in the “Relying Party Trust”.

Then click on the Signature tab.

Then click on the “Add” key, browse to the .cer file, select it etc. and viola – you have updated the certificate without having to do the whole nine yards.

Enjoy!

Posted by at No comments:
Labels:

Thursday, January 31, 2013

Misc : Damn, I’ve been a busy little elf!

 

ScreenShot091

Enjoy!

Posted by at No comments:
Labels:

Friday, January 18, 2013

stackoverflow : The forum double


In cricket, we have the concept of the “all-rounder’s double” for cricketers who have scored 1000 runs and taken 100 wickets or whatever.

So I set myself the “forum double” of 10,000 points on stackoverflow and 1,000 points on the Microsoft .NET Framework Forums. It’s a LOT harder to get points on the Microsoft forum – trust me.

This is completely arbitrary but what the hell.

The stackoverflow goal was achieved a while back (refer previous posts) but I’ve just achieved the Microsoft one.

ScreenShot090

Enjoy!
Posted by at No comments:
Labels:

ADFS : objectGUID as a claim


You may have a business requirement to pass some unique key to the application that is not readily identifiable or editable. There are two possibilities in AD viz. objectSID and objectGUID.

As per SID vs. GUID, objectGUID is the better choice because:

“globally unique identifier (GUID), which is a 128-bit value is unique not only in the enterprise but also across the world”   and
“the values of other object properties can change, but the object-GUID never changes. When an object is assigned a GUID, it keeps that value for life”. 

So you configure the claim in the normal LDAP attribute manner and when you look at the claims, you see:

http://schemas.company.com/identity/claims/objectguid kzGVAByOYki4z7CdR2yecA==
WTF – that ain’t no GUID? The two equal signs at the end would seem to indicate Base64?

Mr. Google to the rescue and viola Issuing objectGUID as an ADFS Claim.

So lets test it out. Couldn’t be bothered to create a VS project just for this so the inestimable LINQPad to the rescue.

ScreenShot089

And the GUID at the bottom is indeed what is displayed in AD.

Enjoy!

Posted by at 4 comments:
Labels:

Monday, January 07, 2013

ADFS : Forum about to be retired

 

Refer : This Forum Is to Be Retired.

After a number of posts from people much more knowledgeable and much more influential than me happy to see that the decision was reversed.

Nice one Microsoft!

But I do content myself with the fact that I had a small part to play in all of this!

Enjoy!

Posted by at No comments:
Labels:

Wednesday, December 19, 2012

WCF : Missing WCF .svc file in project

 

I created a WCF project in VS 2010 in the normal manner but when I wanted to connect to it, I found that the .svc file was missing?

WTF?

So I published the project to a folder. Lo and behold, the .svc file appeared in all its glory!

I then added this folder as an application to IIS 7.5 and all was sweetness and light.

Enjoy!

Posted by at No comments:
Labels:

Friday, December 14, 2012

SAML : Encoding / decoding a trace

 

I blogged previously about ways to look at the SAML trace and decode the gobbledegook (actually it’s Base 64!).

One of the ways I mentioned was to use the text wizard inside Fiddler.

The problem is that to use it, you have to start Fiddler which installs proxies, generates certificate errors etc. The cure is almost worse than the symptoms!

So I sent Eric Lawrence (the author of Fiddler) an email to ask if they could make the text wizard functionality a standalone option.

You may think that’s a bit of a cheek but in my experience, people welcome feedback etc. as long as it’s valid and not the “Please do my homework for me” or “Help it doesn’t work” kind of stuff.

He was kind enough to reply and he suggested:

Inside Fiddler’s Rules > Customize Rules > OnBoot, insert:

 static function OnBoot() {
        if (Environment.CommandLine.Contains("-TextWizard")) 
        {
            FiddlerApplication.UI.actShowTextWizard(null);
 }



Then create a shortcut that launches Fiddler like so:





C:\>"C:\Program Files\Fiddler2\Fiddler.exe" -viewer –TextWizard



Works like a dream.



Enjoy!

Posted by at No comments:
Labels:

Thursday, November 29, 2012

stackoverflow : Finally – 5 figures!

 

image

Will there it is. I finally cracked the magic 10,000 rep. mark!

And at the same time …

image

… I made it into the top 3%.

Enjoy!

Posted by at No comments:
Labels:

Tuesday, November 20, 2012

Misc : On asking questions

 

Jon Skeet wrote a very good article : Writing the perfect question.

I’m active on stackoverflow and the MSDN forums and I wish more people would read this article.

Recently there was a question and I replied waxing voluble about how to do something using WIF and the dude replied:

“Actually it’s a Java application”.

FFS dude, why didn’t you put that minor piece of information in the question?

The quality of the answer is directly related to the quality of the question.

And for God’s sake, spell check it!

Enjoy!

Posted by at No comments:
Labels:

Friday, November 16, 2012

Visual Studio : Cannot import the following key file

 

When you have a signed project in TFS, every time a new person gets it out, they have this problem. So they create a new certificate, check it all in and the next person has the same problem. WTF.

The error is:

“Cannot import the following key file: xxx.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_blah”

Mr Google to the rescue. Found a number of “solutions” but then stumbled across one that worked.

In the project properties under “Signing”, click the dropdown arrow and click on the pfx file name. This invokes the password dialogue so you can type in the new password and Bingo!

All then compiles.

Enjoy!

Posted by at 2 comments:
Labels:

Thursday, November 15, 2012

Stackoverflow : What can I say?


Taken a while but I finally got there!

image 

image

Enjoy!
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)