WIF support for OAuth 2.0: Q&A
Volume 1
Q: I am getting exception with the following message after deploying my application to a farm. Key not valid for use in specified state
A: The default cookie encryption mechanism uses DPAPI. This would mean that a cookie created by one server (or web role instance in case of Azure) would not be readable by another server or web role instance. To solve this problem you should use a cookie encryption mechanism that uses a key shared by all the web role instances or configure your load balancer for sticky session (not available currently for Azure). The following code is taken from patterns &practices guide Moving Applications to the Cloud that shows how to replace the default SessionSecurityHandler object and configure it to use the RsaEncryptionCookieTransform class in Globala.asax:
private void OnServiceConfigurationCreated(object sender,
ServiceConfigurationCreatedEventArgs e)
{
List<CookieTransform> sessionTransforms =
new List<CookieTransform>(
new CookieTransform[]
{
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(
e.ServiceConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(
e.ServiceConfiguration.ServiceCertificate)
});
SessionSecurityTokenHandler sessionHandler =
new
SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(
sessionHandler);
}
Q: I am getting exception: Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Unrecognized attribute 'targetFramework'. Note that attribute names are case-sensitive. Source Error:
Line 27: during development. Line 28: --> Line 29: <compilation debug="true" targetFramework="4.0"> Line 30: <assemblies> Line 31: <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> |
A: .NET 4.0 required. Install or configure your server to use ASP.NET 4.0.To configure your server for using ASP.NET run the following command in command prompt. Make sure the Framework version is 4.0: C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe –i
Make sure the AppPool runs under .Net 4.0, located in AppPools Advanced Settings under General section:
Note: Changing AppPool configuration may break other applications running in this AppPool. Consider creating separate AppPool for the application with the new configurations applied.
Q: I am getting exception: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
Q: What are the options for implementing authorization in claims aware application?
A: You can implement Claims Based Access Control (CBAC) which gives you freedom of implementing authorization decision based on claims in the token extending ClaimsAuthorizationManager. Here is example how - How To Implement Claims Based Authorization For ASP.NET Application. For traditional Role Based Access Control (RBAC) which is suitable for migration scenarios consider reviewing these simple walkthroughs:
- IsInRole Authorization in ASP.NET Application Using Windows Identity Foundation (WIF) and ClaimsAuthenticationManager
- IsInRole Authorization in ASP.NET Application Using Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service
- Authorization With RoleManager For Claims Aware (WIF) ASP.NET Web Applications
Q: I am receiving exception with the following message:The data protection operation was unsuccessful.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
A: Configure IIS to load user profile. To configure IIS to load user profile follow these steps:
- Open IIS Manager.
- Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings.
- After that, on the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app.
- Right-click on the App Pool, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.
Q: I am getting the following error: I updated with new stsServer certificate and changed the Web.config to point to new trusted certificate.
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
A: If you copied the thumbprint from MMC snap-in into config, there is a known problem with copying from the certificate properties window into the config file and getting an extra non-printable character in the text string, which causes the thumbprint match to fail.
Procedure for finding thumbprint taken from this page - http://msdn.microsoft.com/en-us/library/ff359102.aspx To find a thumbprint 1. On the taskbar, click Start, and then type mmc in the search box. 2. Click mmc. A window appears that contains the Microsoft Management Console application. 3. On the File menu, click Add/Remove Snap-in. 4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. 5. In the Certificates snap-in dialog box, select Computer account, and then click Next. 6. In the Select Computer dialog box, select Local computer, click Finish, and then click OK. 7. In the left pane, a tree view of all the certificates on your computer appears. If necessary, expand the tree. Expand the Personal folder. Expand the Certificates folder. 8. Click the certificate whose thumbprint you want. 9. In the Certificate Information dialog box, click the Details tab, and then scroll down until you see the thumbprint. 10. Copy then paste into VS editor (web.config) 11. Position the cursor in the beginning of the thumbprint by pressing on Home button. 12. Press Delete button to remove leading non-printable character.
Note – Try to avoid the situation in the first place by not selecting the blank before the 9f at the start. If issues arise, you should be able to see it just by typing the web.config in a command window
Q: I am on a customer site and we have the following issue installing the WIF 4.0 SDK.
- Customer Machine is Windows 7 Ultimate
- Windows Identify Runtime has been installed
When installing the WIF 4.0 SDK we get the following Error: 2738
Searching (search engine of choice) for the following “msiexec.exe error 2738” to http://msdn.microsoft.com/en-us/library/aa372835(VS.85).aspx
2738 - Could not access VBScript run time for custom action [2].
A: If Visual Studio 2010 is not installed, install it. - http://www.microsoft.com/visualstudio/en-us/products/2010-editions
Q: I am getting the following exception - An error occurred during processing of the request.
Unknown server tag 'adfs:InformationCardControl'.
Additional dat
A: 6941c49e-1098-471b-b13a-b6718c6b8bfc
A: Remove RC version of ADFS v2 and install RTW from - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en
Q: How do I get an email address claim from ACS v2?
A: You cannot obtain user's Windows Live email address from ACS. This is actually a security policy imposed by Live ID http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/b2d2e62d-1a93-43bd-9717-a82fd63ed3cd
<[default] http://ddue.schemas.microsoft.com/authoring/2003/5:content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
Q: My application uses WIF and requires that it be installed as a prerequisite. Can I distribute the runtime files with my application?
A: Absolutely. There is now an additional EULA for the WIF SDK that allows developers to redistribute the WIF runtime with their application when they develop an application using WIF. See the WIF SDK supplemental EULA in the list of possible downloads (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504).
Volume 2
Q: How can I control the type of token my STS issues when it is invoked from an active or passive client?
A: The key type is part of the RST; either set it manually when using WSTrustChannelFactory, or set it on the binding when you use the automatic token request facility in WCF. The setting is - issuedKeyType=”SymmetricKey”
Q: What event trigger should I use to signal the time for population of session variables?
A: Use (Post)AcquireRequestState. This is the first event were session state is available
Q: How do I tell AD FS v2.0 which Claims Provider the application is trying to connect with from within the web application?
A: You can set the home realm parameter 'whr' (in config or programmatically) when redirecting to ADFS2. The value must be the issuer URI value of the desired claims provider.
Q: Is there a way for my application to query a third party STS to get a list of all users that are at least 21 years or older?
A: The short answer is no, not really.
Storage of identity information as well as management of that data should belong to the third party. Therefore, the third party needs to provide an external way of providing that information through a report or some other means.
The idea is that the user store is theoretically a black box, and the only information you can get out of it is the information that the user is willing to give you (via the token) and only when the user is willing to give it to you.
Also see the discussion under the section, How Can You Get a List of All Possible Users and All Possible Claims.
See http://msdn.microsoft.com/en-us/library/ff359108.aspx for more information.
Q: How do I configure WIF’s behavior so a user can navigate to a given page, then click ‘login’ to go to an authentication page?
A: You can use the <authorization /> element in web.config
For example:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Q: What security consideration should I take when developing and deploying claims aware applications?
A: Review the following page for security consideration when developing and deploying claims aware applications - Security Considerations
Q: Does WIF support OAuth 2.0?
A: Yes, consider reviewing WIF OAuth Extensions Sample published here - https://connect.microsoft.com/site1168/Downloads
Q: How to configure token replay detection in configuration file?
A: Set true for the enable attribute of the tokenReplayDetection element in configuration file
Q: What Code Samples are available for WIF?
A: Review the list of code samples here (scroll down to Code Samples bullet) - http://blogs.msdn.com/b/alikl/archive/2010/10/21/windows-identity-foundation-wif-sdk-overhaul.aspx
Q: Can I configure SSO with Active Directory for Web Application deployed to Windows Azure?
A: Yes, review the following whitepaper that walks you through the exact steps how to accomplish just that - Single Sign-On from Active Directory to a Windows Azure Application Whitepaper
Volume 3
Q: When I ran the web app it errored out as follows, how do I fix this?
ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'). I created a relying party in ACS and used SWT as the token format. Then I used "Add STS reference..." to my web app and pointed it to https://MyApp.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml. If I switched to use SAML 2.0 token format, it works just fine.
A: WIF does not include a security token handler for SWT. You can find a sample here: http://zamd.net/2010/07/31/using-wif-for-securing-rest-service/
I wouldn't put too many bets on SWT - seems it will soon be replaced by JWT (of course the good thing about WIF is, that these details are abstracted away from an application point of view). View article...
Q: Are bootstrap tokens, from the CurrentPrinciples IClaimsPrincle identities[0], encrypted? In particular if the original token was encrypted.
A: No - the session token (which holds the bootstrap token) gets generated from the IClaimsPrincipal - that's after decryption. But the session token itself is encrypted by default. View article ...
Q: I have my own library that returns an object of type Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken using WIF API. But I want to get token as XML string or XmlElement. How can I get entire token XML from Saml2SecurityToken object?
A: You can use the SAML security token handler's WriteToken method. This writes to an XmlWriter. Then convert this to a string. e.g.; var sb = new StringBuilder(128); handler.WriteToken(new XmlTextWriter(new StringWriter(sb)), token); View article ...
Q: I created a SAML token signed it using X509 certificate and serialized it to XML What is KeyIdentifier used for?
Is it the public key used to decrypt the token? <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">W6QZ8TBjeMzd2YdBldib7pOVvT8= How is the key identifier used to fetch right key material and verify the signature and how to do this programmatically?
A: There are multiple possible key identifiers - e.g. a thumbprint or the complete certificate is embedded inside the token / signature. On the receiving end - the SecurityTokenResolver classes are used to fetch the right key material (e.g. from the certificate store or re-hydrate the cert from the embedded base64 string inside the token)l. The key identifier for signatures is a hint for the receiver of the token. This hint must be sufficient enough for the receiver to fetch the right key material to verify the signature. View article ...
Q: Does WIF support federated authentication over webHttpBinding for RESTful WCF endpoints? If so, are there any samples that demonstrate this?
A: But you can use WIF to create plumbing for WCF REST services. See library at http://identitymodel.codeplex.com has samples for that. View article ...
Q: How do I create a custom security token on server side and provide it to client from method call?
A: When using WSTrustChannelFactory from WIF you can include arbitrary information in the RST. There's also a sample in the SDK. If you want to go the custom WCF service way - you have to populate a SecurityTokenDescriptor class and pass that to the SamlxxSecurityTokenHandler's CreateToken method. But i can tell you that this is not trivial - when you want to use the token for back-end WCF services you also have to deal with proof keys e.g. / View article ...
Q: I am building custom STS but don't want to use X509 Security Token, I want to encrypt the message with my own private/public keys how can this be achieved?
What sort of keys? X509 is public/private key. I want to use sn.exe and generate keys using which I want to encrypt the message.
A: That's not very common practice - but at the end of the day - a certificate (plus priv key) is just a byte[]. So no need to reinvent the wheel. You can use makecert to create your own X509 keys. View article ...
Q: Did anyone try connecting Win2003 ADFS with PingIdentity using SAML or WSFed?
We have a SaaS product that provides SSO with Ping but one of our client wants to use Win2003 ADFS on the IDP side. I would like to test our app connect with an Win 2003 ADFS as IDP. Is there a blog or site with steps to connect ADFS with Ping?
A: Does this training piece help? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b24dbe27-5bea-4564-bf7d-c077af69e997&displaylang=en View article ...
Q: Can anyone point me to some guidance on how to move my application to a production server?
My claims based app is working fine on my development machine. I have been using the production ADFS 2 server to retrieve claims and all seems to be working well. I normally use MSDeploy to automate my deployments and any assistance on which sections of web.config need to be modified and how would be much appreciated. In particular, how do I set/modify those strings of hex digits? Where do I get the production values from? Do I need to install fedutil on the production machine? There is a video somewhere that I saw some time ago but have lost the reference for it which had a section on how to deploy to production, if anyone knows what I am talking about that would be great! I recall that there was something about adding a name attribute to the microsoft.identityModel/service element but I forget the details. Any pointers or advice would be welcome.
A: I think this is the training video you are looking for: http://www.microsoftpdc.com/2009/SVC17
Q: What is the difference between Microsoft.IdentityModel and System.IdentityModel?
A: WIF builds upon System.IdentityModel. You typically use the Microsoft.* classes like Claim and ClaimTypes etc.
I know this is sometimes confusing - but whenever you have a choice between System.* and Microsoft.* - choose Microsoft.* View article ...
Volume 4
How do I configure a WIF relying party application using a configuration file?
See - http://msdn.microsoft.com/en-us/library/gg607699.aspx