Category Archives: SSO

owin webapi authorization server bearer provider

  From http://stackoverflow.com/questions/19938947/web-api-2-owin-bearer-token-authentication-accesstokenformat-null These seem to be saving only in that they are great example of how to roll your own stuff. [RoutePrefix(“api”)] public class AccountController : ApiController { public AccountController() {} // POST api/login [HttpPost] [Route(“login”)] public HttpResponseMessage Login(int … Continue reading

Posted in katana, OpenID, SSO

SSO portal pages, 20 years ago; IDP to azure to wordpress.com

A long time ago, we decided to re-implement something we called the agent desktop. It was to be a list of those SSO sites to which you might click … to go. Of course, being SSO sites the idea was … Continue reading

Posted in SSO

adding an office IDP to windows azure directories accepted by Windows Azure Portal

Windows Azure Portal is just a webapp. But its also a webapp that comes with an azure AD instance. And that instance can now, using a rather convoluted process, be a managing SSO entity – in charge of a “trust … Continue reading

Posted in SSO

cloud-identity app

Having used the STS wizard in the project template to create a working webapp (bound to an Azure AD instance that can administer trust graphs – or links to other IDP), we ran our webapp and tried to use its … Continue reading

Posted in SAML, SSO

RP sites cooperating with Azure AD (the “new ACS”)

completing a web form project, using an organizational id (proxied to our STS, by Office’s Azure AD IDP_proxying element of service) Note the “common” IDP endpoint. Note the realm name (tuned to our verified domain). Note some clientid/pwd, for OAUTH … Continue reading

Posted in SSO

configure authentication in visual studio 2013

step 1, use visual studio 2013 and make a web project. Its wizard now gives a wizard able to construct web.config files (and supporting classes) suited to talking to “organizational” IDPs – including those that cooperate with others to offer … Continue reading

Posted in SSO

saml 2 jwt

From Thinktecture.IdentityServer:

Posted in SSO

swapping SAML for SWT (using ACS)

We minted a SAML assertion using our local STS. And then we sent it, per the instructions of others, to ACS. Before that we had imported the metadata of our STS into ACS and assigned this new issuer to a … Continue reading

Posted in SSO

distinguishing a claims transformation from claims “augmentation”

http://blogs.msdn.com/b/besidethepoint/archive/2012/05/10/ws-federation-authentication-module-wsfam-and-sharepoint-extensions.aspx

Posted in SSO

powershell wrapper for wstrust testing

http://blogs.msdn.com/b/besidethepoint/archive/2012/10/17/request-adfs-security-token-with-powershell.aspx

Posted in SSO

Convert SAML token to SWT token using ACS – Manu Cohen-Yashar’s Blog

http://blogs.microsoft.co.il/blogs/applisec/archive/2011/11/16/convert-saml-token-to-swt-token-using-acs.aspx

Posted in SAML, SSO

making an Actor field in a WIF-minted assertion

using the code from my safari-licensed copy of the WIF book. What we have not seen is any sample of an RP that really showcases use of the Actor field – recalling that the identity therein is that of the … Continue reading

Posted in SSO

Injecting a non-ephemeral RSA proof key into a client proxy

We have been succeeding to have our custom STS mint an unencrypted assertion bearing an RSA proof key. And, we were able to create a simple service with metadata that induced a client proxy to talk to this STS, having … Continue reading

Posted in SSO

building a cert-based sample

Let’s build this project, using our standard environment of visual studio 2012, IIS express (with certs), on Windows Server 2012. Lets see what we have to do to this older project to get it to do what it was supposed … Continue reading

Posted in SSO

custom STS issuing proofs of asymmetric keys for ephemeral keypairs, used in a WCF request with (header) proof service

After a few more fiddles, we made our WCF client built from creating a service reference use a custom binding to talk to our custom STS and  get by return an unencrypted saml assertion with asymmetric proof key. This is … Continue reading

Posted in SSO

acs metadata vs custom sts metadata for asymmetric keying

The code for the STS at https://yorkporc.wordpress.com/2013/08/13/making-an-sts-that-responds-to-asymmetric-keying-signed-requests/ exposes metadata for the endpoint to which asymmetric keying RSTRs are sent as Note that svcutil cannot generate a configuration for a custombinding matching this policy assertion (it requires code), even though the … Continue reading

Posted in SSO

making an STS that responds to asymmetric keying (signed) requests

We built on earlier work that issue the following signed request to an STS (for an asymmetric key). Previously, we had issued this to the ACS STS, which duly returns an RSTR within which was a SAML assertion whose confirmation … Continue reading

Posted in SSO | 1 Comment

early dispatch extension point for STS

Subclass the contract, which allows one to see in side the dispatcher (before security tokens are evaluated) but after basic SOAP decoding has occurred. Now would be the time to construct a different service configuration to address the addressed tenant, … Continue reading

Posted in SSO

memory aids

Image | Posted on by

Building an OAUTH-guarded resource, for data-centric APIs.

  http://msdn.microsoft.com/en-us/library/gg193416.aspx Im guessing that this is tuned up for SWTs, not JWTs, though.

Posted in oauth, SSO

Extending OAuth so as to get both a SAML token and a JWT–suiting a VAR–or a vendor whose components must talk to office365 API world and webapi services

I realized how to extend OAuth protocol, logically, when one’s implementation wraps the OAuth endpoints of such as ACSv2 or ADFS v3 in Windows Server 20012 R2. Unfortunately, it doesn’t work (as specified below), since the ACS OAUTH endpoint only … Continue reading

Posted in oauth, office365, SSO

add cert to metadata wsdl, per endpoint

Posted in SSO

mapping oauth onto ws-trust ActAs

I read the above, or similar text, many times. But I never ”really” got it, till now. To figure it, its easiest to compare with OAUTH flows. In the world of iphone apps, the vendor continues to own the app … Continue reading

Posted in SSO

subtle interworking issues…imposed by ACS

comparing ACS working and ACS not working messages we can make it work when we get the SOAP and addressing version right (for wstrust13): So, when talking to ACS note the messaging version requirements: Now that we FINALLY understand how … Continue reading

Posted in SSO

requesting an asymmetric proof key from ACS

Using only WIF libraries for RSTs and ChannelFactories, endorsing signatures for the binding, custom securitytoken manager from the WCF samples SAMLtoken project (as modified to create RSASecurityTokens from the private key associated with an X.509Certificate2 when so required), we have … Continue reading

Posted in SSO

WCF sample of asymmetric proof keys

Ignoring RSTs that are self-signed and induce creation of issuer-signed assertions bearing RSA public keys as proof-tokens (typically wrapped for access only by an intended recipient), we see the output of a  WCF sample project: Notice that the confirmation field … Continue reading

Posted in SSO

tslnego handshake leading to session names

Remembering that within ws-trust handshakes of RSTs and RSTR (and RSTR and RSTR) shared BETWEEN THE PEERS we expect to see the components of the SSL handshake, we can document what actually happens for a very obvious setup: we see … Continue reading

Posted in ssl, SSO

id-initiated websso and the WIF pipeline. Using it for multi-tenant webapps supported by a multi-tenant IDP

  Assume the FAM has fired SessionSecurityTokenCreated with result that a user is now viewing the protected resources. Should one invoke idp-initiated websso to session, such that a new bearer token is delivered … alongside the SAM cookie,  will only … Continue reading

Posted in SSO

Exchange ws-security (x509 signing style)

Finally, we see the  flags in use, for wssecuritycredential-based credentials offered by ExchangeManaged API. Looking at the trace, we see a message level signature (over the headers). That is we have proof service based on assertion of the “cert” tokentype … Continue reading

Posted in SSO

SDK client issuing signed/proven requests to CRM web services

Using the “”simplified connection” feature of the quickstart sample from the SDK: we get a first decent demo of proof tokens being applied: Note that the keytype (of symmetric) is implicitly requested (being already set via the metadata configuration setup, … Continue reading

Posted in SSO