Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all 2535 articles
Browse latest View live

SAML integration

March 30, 2016, 6:06 pm
$
0
0

Hi MS team,


Two of my financial customers are looking to implement an application called papervision, that currently is
a client server application installed on phsyical servers.

Their plan is to migrate this application to the cloud, and user ADFS and SAML to allow external customers
access this application via SAML. Client has internal 2012 R2 ADFS servers, in a Windows 2008 R2 forest/domain level,

Here are my questions

What are the general steps to make this application be in the cloud and users access via SAML?  Please consider the fact my client already deployed ADFS 3.0 and allow integration with other cloud applications,

what would be the remaining steps? perhaps create a relying party trust? keep in mind my client would be the service provider hosting the application, and the banks are the service providers. Please include steps on boths sides of the equation

What is encrypted assertions?

How this application can be implemented usng a 2 factor authentication?

What is IDP [Profile binding: IDP Initiated SSO] or SP initiated?

Franki

Search

"No registered protocol handlers" error following installation of ADFS 3.0 on Server 2012 R2

April 11, 2014, 5:51 am
$
0
0

I am trying to install ADFS 3.0 on a Server 2012 R2 VM that I've created from the Server 2012 R2 Datacenter VM template on Azure. The server has no other roles on it (and no IIS because ADFS 3.0 does not use IIS), but has ASP.NET 4.5 installed and .NET 4.5. It is fully Windows Updated including the latest 2012 R2 Update that was just released. It is joined to a Server 2012 R2 DC (also an Azure VM running 2012 R2). I've created a self-signed SSL certificate via the domain controller called adfs.azure.xxx.net and installed the root CA and the certificate on the server. I have followed the instructions athttp://goodworkaround.com/node/53.

Following successful installation and configuration (using the Wizard) of the ADFS role, I can go to the pagehttps://adfs.azure.xxx.net/federationmetadata/2007-06/federationmetadata.xml and that works fine, and it brings back a load of xml.

However, when I test the signin page at https://adfs.azure.xxx.net/adfs/ls/ldpinitiatedsignon.aspx on the server, I get a web page come up with the messgae "An error occurred. Contact your administrator for more information." The ADFS Admin log reports the following error:

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 

Relying Party: 
 
Exception details: 
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ldpinitiatedsignon.aspx to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

I have searched all over for this error ('no registered protocol handlers') but cannot find any mention of it anywhere. I've tried this a number of times by creating a new Azure VM server and installing the role after joining the server to the domain, but no success.

I am completely stumped. Can anyone offer any advice?

AD FS 2.0 Certificates Question

June 12, 2012, 8:47 am
$
0
0

Inside AD FS 2.0 Service\Certificates it has 3 sections for Service Communications, Token-decrypting, and Token-signing.  For the Token-signing and Token-decrypting when I view the certificate I see this message.

This CA Root certificate is not trusted.  To enable trust, install this certificate in the Trusted Root Certification Authorities store.

Is this normal?  To correct this do I click the Install Certificate or do I have to import my adfs cert into my CA first?

Relying Party Trust setup

April 4, 2016, 10:28 am
$
0
0

Guys.

I need to configure ADFS running on server 2012 R2 to work with a company called Hollaroo.  Below is the only setup notes i have on how to configure SSO to work with them. They have no notes at all on how to get this working with MS ADFS so i am a little stuck. I have other Relying Party Trusts working just fine.

I do have the info for the SsoClientId , SsoPassword , SsoTimeOut

Based on their notes what is the best way to get this working in ADFS?

Hollaroo SSO Standard Setup

The Hollaroo system supports user authentication via a 3<sup>rd</sup>-party system (SSO). The typical use case is for the user to authenticate themselves on a client intranet and then access Hollaroo via a link from the intranet. Clicking the link triggers the generation of an encoded string which is then used by the Hollaroo system to identify and authenticate the user so they can be logged in without entering any other credentials.

This document details the steps required by Hollaroo and the client to enable SSO.

Hollaroo SSO Setup Parameters

These need to be configured in Hollaroo and then shared with the client. The timeout parameter needs to be agreed.

  • SsoClientId -- ANY string that will be shared with the customer (e.g. YourCompany)
  • SsoPassword -- ANY string that will be shared with the customer (e.g. secretStringThatIsTough2Guess)
  • SsoTimeOut -- number of minutes the client's SSO link is valid, suggested value: 60 (1 hour) - 1440 (1 day)

SSO String Generation (Client Side)

When the authenticated user clicks the link to access Hollaroo from a client site the client technology needs to generate the authentication string and send that to Hollaroo. There are three steps, generating an XML string with candidate credentials, encoding it using the SSO pollarooarameters previously shared and then sending it to Hollaroo.

XML Generation

An XML string needs to be generated containing the following information:

  • Date Created - this will be compared against the "SSOTimeOut" in setup
  • ClientId - this MUST MATCH the ClientId in setup
  • Email Address - this is the email address of the user to be authenticated via SSO

The following format should be used.Note: line breaks are for ease of reading only, they are not required in the actual document

<?xml version="1.0" encoding="UTF-8"?>

<SSO-Token userId= "not used" utcdatetime="Date-Created">

 <ExtensionElements>

   <Element name= "clientid" type= "string">ClientId-From-Setup</Element>

   <Element name="email" type="string">EmailAddress-of-User</Element>

 </ExtensionElements>

</SSO-Token>

String Encoding

The SSO-XML is encoded using SHA256 encryption with SsoPassword from the setup as encryption password. The sample code at the end of this document can be used for this purpose.

Sending String to Hollaroo

 

The resulting string is used as the value of "SSO"-parameter in the redirect string – CLIENTURL/sso?sso=ENCODEDSTRING. For example in our test system, http://tn.hollaroo.com, the url would look like:

http://tn.hollaroo.com/sso?sso=ZtnKipQnYZWMxpuwNFkB/bcmTAshjFSi1PaGeHg+w2ZxO8iZbku7rRXdQ5S8WbkgGQGtwQE9ym/j4lSn7NaBQyC76hgDDZBqeFoqvnlIKGWnsCN412M5vre4Gh5FzXAZPr+Td6e8ZFNsW4KSHA2564Oi+Vkay2Y5TzctYU+ZOCwtRl3dQRLVKJfs2lTHSVfMJS9GTMZxEGP/5xv4fm1Sp8lBv5A56v7Ef9RyLDne2j0s+WJus/S+Nd2Snxj/uu6Y8kbMLB7HRzdRLO6S+ex10gMc0Ne3529owd1QsB41ZPAZMF9w7O2m3G/m4xbY2RVVQ2kzzCLaPzcQQVfuDZI6oaM6HerbINggM61cHB9sdZSHKo1w1m+lNMyWZyazW1LgV4kzxtNwm/FjAi8jT4/OEuk4g==

 

The Hollaroo system decrypts the sso string, checks that the timestamp is within limits and then logs in the user with the matching email address.

Sample Code

The following code is an example of how to generate the encoded string. The "strKey"-parameter is the SsoPassword from the setup.

using System;

using System.IO;

using System.Security.Cryptography;

using System.Text;

 

namespace SSOEncoding

{

  public class AesEncryptor

  {

      public static string Encrypt(string strToEncrypt, string strKey)

      {

          try

          {

              var objAesCrypto = new AesCryptoServiceProvider();

              var objHashSHA256 = new SHA256CryptoServiceProvider();

              var byteHash = objHashSHA256.ComputeHash(Encoding.ASCII.GetBytes(strKey));

              objAesCrypto.Padding = PaddingMode.Zeros;

              var iv = new byte[16];

              Buffer.BlockCopy(byteHash, 0, iv, 0, 16);

              objAesCrypto.Key = byteHash;

              objAesCrypto.IV = iv;

              objAesCrypto.Mode = CipherMode.ECB; //CBC, CFB

              byte[] byteBuff = Encoding.ASCII.GetBytes(strToEncrypt);

              return Convert.ToBase64String(objAesCrypto.CreateEncryptor().

                  TransformFinalBlock(byteBuff, 0, byteBuff.Length));

          }

          catch (Exception ex){}

      }

 

      public static string Decrypt(string strEncrypted, string strKey)

      {

           var objAesCrypto = new AesCryptoServiceProvider();

           var objHashSHA256 = new SHA256CryptoServiceProvider();

           var byteHash = objHashSHA256.ComputeHash(Encoding.ASCII.GetBytes(strKey));

           try

           {

               objAesCrypto.Key = byteHash;

               objAesCrypto.Mode = CipherMode.ECB; //CBC, CFB

               objAesCrypto.Padding = PaddingMode.Zeros;

               var iv = new byte[16];

               Buffer.BlockCopy(byteHash, 0, iv, 0, 16);

               objAesCrypto.Padding = PaddingMode.Zeros;

               objAesCrypto.IV = iv;

               var byteBuff = Convert.FromBase64String(strEncrypted);

               var strDecrypted = Encoding.ASCII.GetString(objAesCrypto.CreateDecryptor().TransformFinalBlock(byteBuff, 0, byteBuff.Length));

               return strDecrypted;

           }           catch (Exception ex){}

      }

  }

}

ADFS 3.0 - Latency

April 6, 2016, 8:19 am
$
0
0

Are you aware of any Microsoft documentation that identifies recommended network latency limits for ADFS 3.0 solution utilizing a WAP proxy?  I see a lot of individuals referring to "low latency", but don't see any specifics.  Looking to design a solution that can automatically redirect WAP initiated traffic to an ADFS server in a separate region (across WAN) if the local ADFS server is unavailable.  I assume that latency between WAP and ADFS can impact the users' logon experience. 

As another question, I see that ADFS 2.0 had congestion control capabilities, but I don't see any references to this in the ADFS 3.0 configuration.  Do you have any suggestions on where I could find WAP configuration details that would identify configuration options available with WAP?


Is it possible to build a REST (JSON/JSONP) to return if User has logged ADFS or not ?

April 5, 2016, 11:36 pm
$
0
0

Hi,

   I am working on a project to integrated different application which are using ADFSv2 (SSO). I have a question is, is it possible to build a REST Webservice in ADFS which allow me to use the AJAX call to determine if the user has logged in ADFS or not? If yes, can anyone just give a hint about how to do it in high level? (or what  material should I read?)

   Thanks

Relying party trust has a red x

March 9, 2016, 10:21 am
$
0
0
Some relying party trusts have a red x. What does that mean?

ADFS 3.0 Branding / Customization missing Illustration image

October 22, 2015, 8:10 am
$
0
0
This is sort of an odd issue, but I'm really trying to resolve it before we "advertise" our ADFS 3.0-based SSO Portal to the company at large.

I'm attempting to customize our ADFS Portal page using the instructions available here:

https://technet.microsoft.com/en-us/library/dn280950.aspx

and in various other technet articles and blog postings. 

I originally began by customizing the 'Default' theme and adding corporate logo and illustration images. That worked great, and the illustration appeared on both the IdPinitiatedsignon.aspx 'landing' page as well as the sign-on and service provider selection pages. However, since we're logging in with specific domain credentials (rather than an e-mail formatted logon or an alternate administrative domain account), leadership would prefer that the username and password placeholder text make it clear that just our 'first.last' usernames are entered here. I found some articles detailing how to change the placeholder text, which requires using the java onload.js script to modify the text, as well as add a check to see if the DOMAIN\ has been entered and, if not, to automatically supply it upon sign-in. Since you can't modify the default theme beyond logo and illustration, I exported the default theme, created a custom theme and added the java script call according to the technet article. I also modified a few other text fields, added a password reset link and removed the copyright text.

The problem now is that, when the user lands on the default IdPinitiatedsignon.aspx page, where the illustration would be is just a plain, blue background. When the user selects "Sign in to this site" or "Sign in to to one of the following sites" and clicks 'Sign in', the sign-in page appears along with my custom illustration image. After the user signs in, they return to the service selection page (if they didn't choose to sign into a specific service) which, again, is missing the illustration.

I have used the developer tools to look at the two pages and there is a missing  "class="illustrationClass"" in the BrandingWrapper div element on pages where the image is missing. I edited the HTML inline, in the developer tool, which then loads the image correctly. It's not clear to me why it's not loading the image on this page, but it is on the sign-in page.

This is getting into truly alien territory for me given my lack of experience with modern HTML. I understand that, in ADFS 3.0, these pages are not static (as I think they may have been in ADSF 2.0) and are generated dynamically. I can't tell if the issue is in the CSS or in the custom onload.js, but since the default theme works and can't have its CSS modified or javascript support added, I'm suspicious that it's somewhere in those two files.

I'd appreciate any insight anyone might have on this issue,

Dirk

Search

ADFS 2.0 Customize Sign Out Page

September 30, 2010, 6:29 am
$
0
0

I am working on an application, in which the authentication of the users has been accomplished through WIF, ADFS 2.0 and external Identity Provider. The ADFS 2.0, which in this case acts as in R-STS, has been configured to trust my application (RP) as well as an external IP  (STS).

All is  working fine except for the Sign Out functionality. I am using the following code to log the user off:

 

Dim url AsString = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl("https://adfs.mywebapp.com/adfs/ls/", "https://www.mywebapp.com/default.aspx", Nothing)<br/>
WSFederationAuthenticationModule.FederatedSignOut(New Uri(url), New Uri("https://www.mywebapp.com/default.aspx")).

 

Through Fiddler, I do see that the user is successfully signed out of the RP, ADFS and the IP, but they are never returned back to the specified return URL: https://www.mywebapp.com/default.aspx. Instead, they are eventually returned to the following page: https://www.mywebapp.com/adfs/ls/?wa=wsignout1.0 *. Is there a way to force the ADFS to redirect the users to the return URL. If that cannot be done, is it possible to customize the default ADFS Sign Out page?

Any help on this would be greatly appreciated.

 

Zen

ADFS installation - the Program Data error

August 15, 2013, 6:10 am
$
0
0

Moving from the Office365 forums:

Greetings - just beginning a new ADFS build out.  The customer has an empty root and all servers users and service accounts are in child domains and I have a couple of questions:

We see the exact scenario described here, and I was only able to find 1-2 other mentions:  http://blogs.perficient.com/microsoft/2011/08/insufficient-privileges-error-configuring-ad-fs-2-0-for-single-sign-on-with-office-365/

 where the resolution is to manually create the containers in the child domain.

 Understanding that the Program Data container is created by default once in the domain naming context and therefore the root - is this anything that would be considered a program bug and is being addressed by Microsoft in any way?  Is the trigger that we are using service accounts from the child domain, or is it that the ADFS computer objects are in the child domain?

 With installation failing, is ADFS supported when installed in a child domain?  Have I missed a configuration step?

 additional info:

The account resides in the child domain, and is a member of domain admins and domain users.  I get the same result using an account with EA permissions but again, homed in the child domain.

The error is “You do not have sufficient privileges to create a container in Active Directory at location CN=<long UUID string>,CN=ADFS,CN=Microsoft,CN=Program Data,DC=xxx,DC=yyy for use with sharing certificates. Verify that you are logged on as a Domain Admin or have sufficient privileges to create this container, and try again.”

The error calls out the child domain, where there is no Program Data or Microsoft container.  Those do exist in the root directory.

It really looks like the ADFS wizard is trying to create the ADFS container in a hard coded path that doesn't exist because we are trying to install in a child domain.

thank you,

jp

Claim Rules for ADFS publishing Workfolders when used with persistent SSO?

April 9, 2016, 12:56 am
$
0
0

Having a quite complete (working!) setup of Workfolders Feature here: Workfolders are published via Web Application Proxy through ADFS Authentication. The devices are registered (workplace joined) in Azure AD, device writeback to AD is activated.

Everything's working but on the Android&iOS Workfolder Clients it's necessary to enter your username(!) and password every few hours.

Now what I want to use is persistent SSO (PSSO - https://technet.microsoft.com/en-us/library/mt148493.aspx) for the registered Android&iOS Workfolder Clients. PSSO is working flawlessly on other resources, e.g. myapps.microsoft.com or SharePoint Online and gives 7 days free of entering Passwords. I know that I had to add additional Claim rules to get PSSO working for Office 365 (reference:https://support.microsoft.com/en-us/kb/2958298"add two Claim rules...").

So I believe I need additional Claim rules for the Workfolders RP Trust, but I don't know if the Workfolders Feature is supporting PSSO and if, what the correct claim rules are?

Regards,

Michael

Can I connect directly to web app proxy

November 12, 2015, 1:34 pm
$
0
0

If I have a web application proxy with the name (for example) adproxy1.somewhere.edu can I connect directly to the proxy and still get the ADFS sign-in page? For example:

https://adproxy1.somewhere.edu/adfs/ls/idpinitiatedsignon.htm

When I connect to my proxy server in this way I get a 404 error message and the following entry in the ADFS admin log:

Event ID 144

The Federation Service Proxy blocked an illegitimate request made by a client, as there was no matching endpoint registered at the proxy.

If I do the same with one of my ADFS servers directly I get the login page and can sign in. I'm testing my ADFS WAP server and thought I should be able to do this.

Issuance Authorization Rules with SAML-based Relying Party

April 12, 2016, 3:33 am
$
0
0

Hello,

currently I am configuring a Relying Party in ADFS in Windows Server 2012 R2 that has to use Issuance Authorization Rules to control access to the Relying Party.

Normally (also in this environment), if you delete all Auth Rules access is denied by ADFS and it shows the "Access Denied"-Page. This works for all WSFed-based Relying Parties.

Unfortunately it does not work for this specific one and the main difference is, that I only configured SAML Assertion Consumer Endpoints. In this case, when there is no permit-claim issued in the Auth Rules, it redirects the client to the relying party anyway, but without executing the remaining issuance transform rules, so the SAML Token does not contain any assertions.

Is there a way to configure ADFS to show the Access Denied-Page in this case?

Thanks in advance,

Uwe

// Tried and true method for weather forecasting - random numbers. String weather = (new Random()).Next(2)==0?"rainy":"sunny";

ADFS - Unable configure the private key store

April 13, 2016, 2:02 am
$
0
0

Hi All,

When running the below PS command "Install-AdfsFarm –FederationServiceName…"

I get an error with message "unable configure the private key store", but then when I check the event logs I get this -

Could not bind to

DN:'CN=261a13c4-cc8d-XXXX-9b61-74098f3a4174,CN=ADFS,CN=Microsoft,CN=Program

Data,DC=XXX,DC=local'. Got

exception:'System.DirectoryServices.DirectoryServicesCOMException (0x80072030):

There is no such object on the server.

   at

System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

   at

System.DirectoryServices.DirectoryEntry.Bind()

   at

System.DirectoryServices.DirectoryEntry.RefreshCache()

   at

System.DirectoryServices.DirectoryEntry.FillCache(String propertyName)

   at

System.DirectoryServices.DirectoryEntry.get_NativeGuid()

 at

System.DirectoryServices.DirectoryEntry.get_Guid() 

at

Microsoft.IdentityServer.CertificateManagement.DkmFactory.CheckExistence(String

distinguishedName, String& dcName)'. Concluding that the said DN does not exist.

Please give me suggestion to resolve this case.

ADFS 2.0 WIA for One RP

April 13, 2016, 5:16 am
$
0
0

Can ADFS 2.0 be set up with the following scenario?  

RP 1:  Internal users can use Windows Integrated Authentication and not have to enter credentials                                                      External users is form based as usual

RP 2:  All users need form based and required to enter credentials

The reason for this is we have strict finance application that we want users to authenticate every time by entering credentials.  We also have RP's on the same ADFS instance where they are not strict and want to use Integrated Authentication.  

Can different relying parties on the same ADFS instance use different forms of authentication?

Search

Massive amount of error 342

April 14, 2016, 12:44 pm
$
0
0

My ADFS Admin event log is full of 342 errors.  The details of the error are username or password are incorrect.  Multiple times for the same users but their account never locks up.

Everything is working without issue what causes these errors?

TIA

  

AD FS and forms Authentication

April 15, 2016, 7:40 am
$
0
0

We have an ASP.NET Web Forms(.Net 3.5) website application uses forms authentication. The application has got different customized authentication services which uses different SSO methods(eg. CAS) to validate user, those were implemented for different clients. Now the requirement is to implement an AD FS based authentication service with out making core changes to the Forms Authentication configurations.

My questions:

  1. How to configure SAM in .Net 3.5 website
  2. Instead of redirecting to STS, is it possible to pass user name and password from my login page to AD FS proxy and get saml response?
  3. My intention is to read a custom attribute value(eg. Employ number) from the saml response and proceed with the current authentication module. Is it possible?

This question is based on a discussion in AD FS and forms Authentication, any help will be greatly appreciated.

Sreekanth Mohan




Integration with RSA SecurID in the Extranet with ADFS 3.0

April 28, 2014, 2:15 am
$
0
0

Hello,

I have a Windows 2012 R2 environment with ADFS 3.0 in the internal lan with a couple of claims aware applications been published using Web Application Proxy in the DMZ to external users.

I need to apply multi-factor authentication using RSA SecurID for a certain group of users, they will be in a specific group, when they are accessing the application externally.  With ADFS 3.0 you can apply MFA for certain groups when the user is coming from an extranet network location.  Is it possible to apply MFA using RSA SecurID as I have seen documents for ADFS 2.0 and the ADFS proxy but the installation for ADFS 3.0 has changed and no longer has a reliance on IIS.  Can you still integrate RSA SecurID with Web Application Proxy?

Thanks,

B

ADFS and Skype for Business online / Exchange online

April 18, 2016, 1:30 am
$
0
0

Good morning,

i have installed an ADFS Server an ADFS Proxy Server (DMZ) for Office365.

under local intranet Sides i put the Address from the ADFS Server adfs.test.com.

For my proxy settings in the internet explorer i exclude the Side adfs.test.com...

Now if iam going to the office portal (porta.office.com) the adfs server is working. i need no password for the portal. But if i try to connect with skype for business online oder Exchange online, i need a password. What must i do? Have someone a solution? Have i forgotten some settings?

Thanks

AD FS 3.0 Firefox and Chrome no integrated windows authentification

December 16, 2013, 2:14 am
$
0
0

I have a Windows Server 2012 R2 server with ADFS 3.0 in my environment.

My Question is if there is a chance to use Firefox or Chrome with the Integrated Windows Authentification? At the moment these browers always use the Form based authentification.

With Internet Explorer all works fine.

I have already set the property "ExtendedProtectionTokenCheck" to NONE on the ADFS-server but this doesn't solved the problem.

Viewing all 2535 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>