Let me put you into the context of a task. We're working in iOS/Mac environment using pure C/C++/Objective C code, without any additional libraries. Recently we've been tasked with imitating WCF ADFS web requests.

Our task is simple - use two-step process to obtain token for Web services usage. Two-step is required for federation.  Our first step is obtaining a token from a usernamemixed endpoint on one adfs 2.0 server, and the second is taking that token to a issuedtokenmixedsymmetricbasic256 endpoint on the second adfs 2.0 server to retrieve the converted token. We snooped on SSL traffic that comes from WCF working sample and right now we're trying to imitate it, but we have several probably simple questions.

They are as follows:

1. First request is simple usernamemixed call, without any signatures, hashes, etc. We set all fields like in WCF request and receive a correct reply.

In reply we receive such a blob:

 <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

              <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

                   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                     </e:EncryptionMethod>

                     <KeyInfo>

                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                          <ds:X509IssuerSerial>

                           <ds:X509IssuerName>CN=ADFS Encryption - test.contoso2.com</ds:X509IssuerName>

                           <ds:X509SerialNumber>65021098975359647747588300292680011971</ds:X509SerialNumber>

                          </ds:X509IssuerSerial>

                        </ds:X509Data>

                     </KeyInfo>

                     <e:CipherData>

                        <e:CipherValue> .... </e:CipherValue>

                     </e:CipherData>

                    </e:EncryptedKey>

                   </KeyInfo>

                   <xenc:CipherData>

                     <xenc:CipherValue> ....

What's this blob? Is it SAMLv2 XML encrypted with AES256 key? Can we decrypt this blob? And more important - should we do this? If we are to decrypt what key should we use?

2. Another section

  <trust:RequestedProofToken>

          <trust:BinarySecret>4807Tm7b5pV+yuDJrE/VxlQMF5qEZ9ofXiaW192eVWM=</trust:BinarySecret>

  </trust:RequestedProofToken>

What's this? We've checked quite a number of specs including Microsoft ones and this is supposed to be a session key. But for what?

3.  <trust:RequestedAttachedReference>

     <SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.sd">

            <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_c3161df2-c407-467f-a38a-a9e0f4c40329</KeyIdentifier>

         </SecurityTokenReference>

    </trust:RequestedAttachedReference>

What is _c3161df2-c407-467f-a38a-a9e0f4c40329? Is it something inside SAML XML? This ID is only mentioned in trust:RequestedAttachedReference/RequestedUnattachedReference, never in other places

Now we need to create second request (symmetricbasic256) . Thanks to Microsoft lightweight web protocol spec we know that we need to put Timestamp into it and sign it.

Here's the blob from WCF request

 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

            <SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

              <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>

                <Reference URI="#_0">

                   <Transforms>

                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                   </Transforms>

                   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>PrL4HWUJyslYSkLlnfVywRtGkY8=</DigestValue>

                </Reference>

            </SignedInfo>

            <SignatureValue>r/77++h17Gls9C048czu4y0A4fs=</SignatureValue>

            <KeyInfo>

             <o:SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">

               <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_c3161df2-c407-467f-a38a-a9e0f4c40329</o:KeyIdentifier>

             </o:SecurityTokenReference>

            </KeyInfo>

       </Signature>

We know how to calculate digests and how to canonicalize XML but we don't understand what should be the key for HMAC-SHA1 function. We see KeyIndentifier but where is this key?

Hi,

My environment is pretty small and i can't afford a dedicated AD FS Server so I wan't to run this on the server that act's as AD and It's a SBS 2008 R2.

Well my questions is pretty basic, the AD FS needs a SSL-Certificate but must it be on the "Default Web Site", because if I use it on the default site i can't put anything else under "Default Web Site" that's need a certificate. But I don't know if that's any problem and that i will need other sites under "Default Site"? There is some other things under the default like CertEnrol and CertSrv.

Can i just make ADFS an own site? Or is it possible to use a cert just for that application under "Default Web Site"?

And according to new documention it's OK to run ADFS on a DC.

Kind Regards,

Noiden

Hi,

I'm trying to attach to some WIF events, specifically to WSFederationAuthenticationModule.SessionSecurityTokenCreated and SessionAuthenticationModule.SessionSecurityTokenReceived.

(Using ASP.NET 4.5, VS2012 on Win8)

Based on the documentation, it should be possible to attach handler in Global.asax in Application_Start method. I did so but the handler was never fired. After all I figured out that the only way how to add handler to WSFederationAuthenticationModule.SessionSecurityTokenCreated that is triggered is to create method named WSFederationAuthenticationModule_SessionSecurityTokenCreated in Global.asax for auto wiring the event. But I'm totally confused. Why the event attached through event handler like this:

FederatedAuthentication.WSFederationAuthenticationModule.SessionSecurityTokenCreated += new EventHandler<SessionSecurityTokenCreatedEventArgs>(handler);

is silently ignored? Despite the documentation? Should I attach the event handler in other place than Application_Start?

eXavier

Hi,

I have a requirement where we have one administrative AD Forest where all the Admin Accounts reside and we have multiple customer AD Forests which need to be managed using the Admin Accounts on the Administrative Forest. The administrative tasks in the customer AD Forest would include Creation of users, groups, assigning, modifying customer AD etc. I know we can easily achieve this by establishing an external forest trust between Customer AD Forest and Administrative Ad Forest, however we have security restrictions to establish a trust.

Would like to know if we can use ADFS in this scenario to achieve secure, single sign on into all the customer AD Forests and perform AD Administrative tasks? If yes are MMC, RDP, AD Management Tools SAML aware? If not how can we address this situation.

Thanks

Hi,

I've created a custom CustomUserNameSecurityTokenHandler an registered it within the configuration-file this way:

<system.identityModel><identityConfiguration><securityTokenHandlers><remove type="System.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/><add type="MiniSTS.CustomUserNameSecurityTokenHandler, MiniSTS"/></securityTokenHandlers></identityConfiguration></system.identityModel>

This works fine, but now I'm wondering how to do this using code. I've tried it with the following code, but it hasn't worked.

var host = CreateServiceHost();

var cred = new ServiceCredentials();

cred.UseIdentityConfiguration = true;
var idConfig = cred.IdentityConfiguration;

idConfig.SecurityTokenHandlers.Remove(idConfig.SecurityTokenHandlers.OfType<WindowsUserNameSecurityTokenHandler>().First());
idConfig.SecurityTokenHandlers.AddOrReplace(new CustomUserNameSecurityTokenHandler());

host.Description.Behaviors.Add(cred);
host.Open();

Console.WriteLine("gestartet");
Console.ReadLine();

What's the problem here?

Wishes,

Manfred

Hi,

I've created a custom CustomUserNameSecurityTokenHandler an registered it within the configuration-file this way:

<system.identityModel><identityConfiguration><securityTokenHandlers><remove type="System.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/><add type="MiniSTS.CustomUserNameSecurityTokenHandler, MiniSTS"/></securityTokenHandlers></identityConfiguration></system.identityModel>

This works fine, but now I'm wondering how to do this using code. I've tried it with the following code, but it hasn't worked.

using (var host = new WSTrustServiceHost(new CustomSecurityTokenServiceConfiguration(issuerName, signingCertificateName, typeof(CustomSecurityTokenService)), new Uri("http://localhost:21000/FlugService_STS/Service.svc")))
{

    var cred = new ServiceCredentials();
    cred.UseIdentityConfiguration = true;


    var idConfig = cred.IdentityConfiguration;
    idConfig.SecurityTokenHandlers.Remove(idConfig.SecurityTokenHandlers.OfType<WindowsUserNameSecurityTokenHandler>().First());
    idConfig.SecurityTokenHandlers.AddOrReplace(new CustomUserNameSecurityTokenHandler());

    cred.ServiceCertificate.Certificate = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=STSTestCert");
    var debug = host.Description.Behaviors.OfType<ServiceDebugBehavior>().First();
    debug.IncludeExceptionDetailInFaults = true;

    var metadata = host.Description.Behaviors.OfType<ServiceMetadataBehavior>().First();
    metadata.HttpGetEnabled = true;

    host.Description.Behaviors.Add(cred);

    var binding = new WS2007HttpBinding();
    var mexBinding = MetadataExchangeBindings.CreateMexHttpBinding();

    var ep = host.AddServiceEndpoint(typeof(System.ServiceModel.Security.IWSTrust13SyncContract), binding, "IWSTrust13_UserName");

    var serviceAuth = host.Description.Behaviors.OfType<ServiceAuthorizationBehavior>().First();
    serviceAuth.PrincipalPermissionMode = PrincipalPermissionMode.Always;

    binding.Security.Mode = SecurityMode.Message;
    binding.Security.Message.EstablishSecurityContext = false;
            
    binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
          
    host.Open();


    Console.WriteLine("started");
    Console.ReadLine();
}

What's the problem here?

Wishes,

Manfred

We have a web based application running on a windows 2008r2 box and do most user auth through asp.net membership.  We have a new client that wants us to authenticate their users (separate web app) to their domain using ADFS 2.0 and SAML.

I'm really confused about what I need to install on our servers to support this.  We need to be able to take what the user types in for username and password and send to their domain for acceptance.

Can someone point me to the right thing(s) to install?

Scott

I've noticed that ADFS Proxy 2.0 installed by default using forums based auth.

I tried to set it to integrated auth and in Outlook when you click on the app that uses ADFS 2.0 it loads this --

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

Forums based auth works, it just makes you type in domain\username, and password.  You can save the credentials, so it's no big deal.  I just find it interesting that from my research I noticed Microsoft has it listed as needing forums based auth with Office 365.

Integrated auth works fine and as expected internally, it's only needing forums auth via the proxy externally.

That tells me the internal ADFS is setup correctly, or this issue would be the same internally as it is externally.

Will WIF 3.51 work with an ASP.NET 2.0 application?  One of our vendors web apps is written in ASP.NET 2.0 and was hoping to integrate it with WIF 3.51.

Hi,

I'm doing an SP-initiated sign-on from a SAML web application to an AD FS 2.0 IdP and specifying an authentication context class URI of urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Logging on to AD FS via the proxy works fine.

Authentication Handler Overview
http://msdn.microsoft.com/en-us/library/ee895365.aspx

I've used the above document as a reference. On the farm side, the Forms handler is listed in my local authentication types within the web.config. Because no comparison attribute is specified in the request, according to SAML specs, this defaults to Exact .. Equally, if ForceAuthn=True is set, existing session cookies are ignored, and provided an authentication context class reference is specified, AD FS will serve up the appropriate authentication handler. Given that the URI specified is password, I would expect to see the forms sign-in page, however, it's ignoring the authentication context class and defaulting to the integrated handler (urn:federation:authentication:windows)

Am I missing something here as the documentation suggests that this is possible? I've done SAML traces and the authentication context class reference is being passed correctly from the SP. As expected, if a user does integrated auth then they're denied at the SP because the class reference doesn't match. I understand that in IdP initiated sign-on scenarios some customization is required, but in SP-initiated scenarios I would expect this to work. I could always pass the appropriate desired context back via a custom claims rule, but I want to force forms logon, i.e. break SSO for this particular SP..

Regards,
Mylo

Hi,

I have inctalled ADFS 2.0 on Windows Server 2008 R2...

After installation, to verify the installation, I have done the following

1. Open IIS
2. Open the ADFS/sl application
3. Clicked on Content view
4. Browse IdpInitiatedSignOn.aspx page

It has opened a page, but on click of signin button, it is not opening the next page..

Giving the attached page. after passing the credentials

Can you please help in this

Hi Everyone,

I'm just looking into AD FS 2.0 and am looking to install it in work. One of the IT guys is worried about how installing Geneva will affect the Active Directory server. Does Geneva change anything in AD? Are there any knock on effects on AD? Have any of experienced any problems with AD after installing Geneva?

Thanks.

Mick

I can't seem to find an answer on this matter.

Here is the situation.

A Development Team wants to develop an application. This means source controlling code including web.config.

Normally every developer works in his own environment and that means different host names.

Based on WSFederarion protocol you should be able to setup one relying party on ADFS with multiple identifiers reflecting the variety of host names in the Development Team. Then when the WIF redirects to the ADFS, it could use the wreply parameter to instruct ADFS to redirect to the developer's environment.

But it seems ADFS doesn't respect this parameter and you are always redirected to the endpoint defined in the Endpoints list configured in the Relying Party configuration. But there you can only specify one WS-Federation configuration endpoint.

The only available solution is to create different Relying Parties per Developer. But this case is hard to maintain and synchronize. Our scenario is even more complex because we have a backend WCF service with identity delegation.

Is there a workaround around WIF for this matter? Maybe I'm missing something really obvious.

I am using passive federated authentication with Silverlight, WIF and ADFS. I followed the Training Toolkit example http://msdn.microsoft.com/en-us/identitytrainingcourse_silverligthandidentity2010_topic2

Everything works fine. Claims come back, the user is authenticated, etc. It is working absolutely fine with RIA services.

The problem comes after using the application for 1 hour. The token seems to become invalid and all subsequent calls from the Silverlight client to the domain service fail.

I have checked the ADFS settings, they are all defaults.

• Get-ADFSRelyingPartyTrusts shows that TokenLifetime = 0
• Get-ADFSProperties shows that SsoLifetime = 480 (which I assume is 8 hours).

I am using the assemblies included with the training kit: SL.IdentityModel & SL.IdentityModel.Server.

Online I have seen people making references to setting freshness values however this doesn't seem to apply as everything is auto setup by the SL.IdentityModel.Server services.

I have configured a development instance for ADFS 2.0 using the default installation parameters with the Windows Internal Database.  The system configured all the components to run under the local Network Service.  I wanted to switch that configuration to run under a domain service account.

So far the steps:

1. Updated the ADFS 2.0 Service account identity
2. Updated the ADFSAppPool account identity within IIS
3. Granted permissions on the certificate private keys to the service account
4. Created a SQL login for the domain account and granted (what I think) are the required SQL permissions
5. Set the required SPNs on the service account

The service starts up under the domain account and all looks well until I try the URL for the federation metadata.  Then I get the following error message:

If I put the service account into the local administrator group on the server, then the metadata comes back correctly.  I'm sure it is a permission, but I am unsure of where to add the additional permission for this account?

Any ideas?

Hi,

we want to secure our external web services, should I use ADFS? is there another microsoft tool that I should use? 

the client application will pass a pass code and domain user name/password to the web service to identify itself

should we add the security implementation in the web service using WIF?

thanks

  Hi,

I have an interesting situation where searches towards AD within a claim rule either works or doesn't work, depending on which IdP the user is authenticated against.

I have a sample app from the WIF SDK that shows me the contents of claims (called claimapp). I've created a custom claim rule for that relying party trust that performs a search against AD. On the ADFS server I have a claims provider trust which is an OpenAM SSO server.

If I access the claimapp with the web browser I get the ADFS web page asking me which IdP I want to use, the SSO server or AD. If I authenticate against AD, the claim rule runs and the claimapp shows the claims (which are the result of the search against AD).

However, if I authenticate against the SSO server and the user is redirected back to the ADFS server, I get an error message "There was a problem accessing the site. Try to browse to the site again".

If I remove the AD search claim rule, I can successfully authenticate against the SSO server and the claimapp shows the claims (which are the result of simple pass through rules).

Any idea why the AD search fails when I don't authenticate against AD? Could this be a AD permission issue? I'm using a stand-alone ADFS server and the ADFS service is using the network service account.

This is causing a major headache for us and any help would be appreciated, thanks.

  -- Kari

Greetings,

    So far, my experience with ADFS/SAML has been pretty good.  I set this up with an online service who made it really easy.

Now, I am working with a vendor who is a little more challenging. They have provided an XML file, and I have created the RP trust from it.  Now, here's where I am getting confused.

An assertion attribute is required.  A sample has been provided.  However, I really don't know what to do with it.

I'm going to guess the most relevant data is this:

<saml:AttributeStatement><saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>user1</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>

I have tested this through https://localhost/adfs/ls/IdpInitiatedSignOn.aspx and it fails.  They report: Invalid assertion issuer

So, I discussed this when them and they've asked me to send the SAML assertion I am using.  I have no idea how to retrieve this, or how to specify it.  

Just looking for some guidance.

Thanks!