I was having some problems with the original SSL Certificate that I created and bound to IIS, therefore, I deleted it and re-created it.

However, I had earlier used the certificate while configuring the ADFS 2.0 service and now when I look under the Certificates area for Service communications, I see the error message"Certificate not found in store" beneath the Service communications heading.

Now that I have installed the new certificate, I want to set the new Service communications certificate, however, when I click on the option for "Set Service Communications Certificate", I get the following error message"The certificate could not be processed.  Error message: Object reference not set to an instance of an object."

Is there a way for me to set the new Service Communications certificate for ADFS either through the UI or through a PowerShell command?  I have already configured everything in SharePoint to work with my ADFS Server, so I would hate to have to start all over from scratch again.

Please advise.

Hi,

I need some advice here.

We have an Kentico CMS web application deployed to Amazon AWS EC2, and we have 2 instances of EC2.

Our web application is using WIF and claims to for authentication and authorization.

We encountered the exception "Key not valid for use in specified state.".

This exception is thrown after an authenticated user (handled by instance 1) is requesting for a protected resource page which is handled by instance2 of the same application, on the same domain.

I have tried to fix this issue by adding one common machineKey decryption and also sessionState mode="SQLServer" into the web.config for both instances.

At first it seems to be working, but then somehow it doesn't really work and I still get the same exception.

IIS Application pool, I had set Load User Profile to true.

What can I do to solve this issue?

Hello all ,

I'm working on using WS-Federation for SSO. I already built an STR issuing RSTR containing SAML 1.1 token. I saw that to be able to accomplish WS-Federation SSO , I need to create a WS-Trust RSTR ... Is that true ?

Thanks a lot

Does anyone know why the class System.IdentityModel.WSFederationConstants is internal in WIF 4.5?

It's 3.5 class (Microsoft.IdentityModel.Protocols.WSFederation.WSFederationConstants) is public.

Is there any accessor class for it?

In the process of porting our ASP.NET MVC3/WIF 3.51 token-issuer/relying-party to ASP.NET MVC4/WIF/.NET 4.5.    The FAM successfully redirects un-authenticated requests to SignIn.  SignIn authenticates the user and HTTP POSTs the resulting SAML token to the relying party.  We then see this error:

Here is our identity model configuration from relying party web.config:

What am I doing wrong?

For an Office 365 environment we use a load balancer to make the ADFS 2.0 servers high available. To validate if the server is healthy I would like to monitor a url and check for a certain response. Any recommendations?

When I call https://adfs.domain.tld/adfs/fs/federationserverservice.asmx I get an XML response, but am not sure for what part to check.

Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

I think folks know I love WIF (and the whole Microsoft SSO story). Its sensible, and not religious.

But there are "delivery" matters that can be improved.

Ive forced myself in the last 3 months to use only Windows 8, Windows server 2012, etc. Ive also read modern books... on SSO for the platform. ITs all very confusing.

It is possible to install WIF SDK, for studio 2012 on Server 2012. But, its a right royal pain.

It is possible to install the latest identity training kit, but once again, if you dont know to install the visual c++ libs (sp1) dont expect teh dependency manager to work (and install the prereqs).

It is possible to run SOME of the WIF SDK samples, on IIS. BUt, none of its uses the internal webserver or iis express 8. Its very confusing, "generational cap".

Quite what the relationship is between the wif sdk TEMPLATES installed into 2012 visual studio and the "identity and access tool" ... I dont know. I&A tool runs some kind of STS, with a little UI, for testing. How it relates to the STS project source previously generate dby WIF STS templates, I dont know.

Dont try to install the I&A tool per the instructions. It doesnt work (i.e. download and  click). Do use the etension manager of studio (which works fine).

Finally, Ive been reading books. One "cookbook" explains how to make an STS by injecting one's own servercedential "framework" into WCF. Another book explains how WIF works (which does the same, more comprehensively, exploiting the same WCF extensibility model).

And then there is the wonderful world of ACS v2, in which some training samples show how to use MVC for provisioning tenants of a companion app (shipping), while also provisioning a RP (+IDP) entities in the ACS world for said new tenant. the MVC patterns are explored, showing how "WIF + URL routing"  is supposed to be used, with the "enrollement app" using a common realm (which the audienceURI function enforces), but the "shipping app" uses "per-tenant realms" (which audience URI ACS verified doesnt enforce).

You know, If I had not spent 1+ year studying all this, Id be lost. And, I still cannot do it... though I can at least follow the code ...those who can (and just copy).

Then there is WebAPI and OAUTH, and then the OpenAUTH libs that come built into the default web app for studio 2012. They nicely do openid/oauth-style websso, but dont know how to make delegate tokens to actually go consume a google API, say, having done a google IDP websso session!

Just some user feedback - from someone who is very positive about it all, typically.

While I'm very familiar with federated protocols like SAML, I'm pretty new to WS-Federation and ADFS. We are considering to move towards claims-based authentication and authorisation for our web based set of (.NET) applications. I understand that users will be re-directed towards ADFS to authenticate. All our applications (and also ADFS) are behind a reversed proxy that performs the authentication. So, basically there is no need for ADFS to authenticate the users again. This proxy is able to add user data (e.g. unique user ID) to HTTP HEADERs it sends to backend applications. Can ADFS somehow be configured to pick up these HEADERs instead of asking the user to authenticate again. The unique user ID can stored/fetched from any repository (AD, LDAP, Database).

So, basically, I'm looking for SSO options from a reversed proxy towards ADFS. Help much appreciated.

I have a WCF service which is configured to require SAML 2.0 token. Currently it uses WIF 3.5. Now I am trying to upgrade it to use WIF 4.5 but WCF keeps throwing this error:

System.InvalidOperationException: ID1032:At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirementwhen the AudienceUriModeisset to 'Always'or'BearerKeyOnly'.Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement,or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.

I am trying to use custom token handler with the following configuration:

<system.identityModel><identityConfigurationname="Interconnect"><claimsAuthorizationManagertype="My.IdentityModel.EpicClaimsAuthorizationManager, My.IdentityModel"/><securityTokenHandlers><removetype="System.IdentityModel.Tokens.Saml2SecurityToken, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/><removetype="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/><addtype="My.IdentityModel.EpicSaml2SecurityTokenHandler, My.IdentityModel"/><addtype="My.IdentityModel.EpicSaml11SecurityTokenHandler, My.IdentityModel"/><securityTokenHandlerConfiguration><audienceUrismode="Never"><addvalue="https://myhost/test/wcf/services.svc"/></audienceUris><issuerNameRegistrytype="My.IdentityModel.EpicIssuerNameRegistry, My.IdentityModel"><trustedIssuers><addthumbprint="168051a8c206c02c8bc962424660adc506784814"name="MyCert"/></trustedIssuers></issuerNameRegistry></securityTokenHandlerConfiguration></securityTokenHandlers></identityConfiguration>
</system.identityModel>

As you can see in the configuration above, I have set audienceUris mode to 'Never'. I also have 'useIdentityConfiguration' set to 'true' on 'serviceCredentials' element in service behavior.

Here is the full stack trace for the error captured using WCF tracing:

<E2ETraceEventxmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><Systemxmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>131075</EventID><Type>3</Type><SubTypeName="Error">0</SubType><Level>2</Level><TimeCreatedSystemTime="2013-01-25T22:56:07.5358245Z"/><SourceName="System.ServiceModel"/><CorrelationActivityID="{e3b81b45-d40d-497b-a85e-922d82f594df}"/><ExecutionProcessName="w3wp"ProcessID="6048"ThreadID="6"/><Channel/><Computer>EPIC9802</Computer></System><ApplicationData><TraceData><DataItem><TraceRecordxmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord"Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing an exception.</Description><AppDomain>/LM/W3SVC/1/ROOT/test-2-130036281663431093</AppDomain><Exception><ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Message security verification failed.</Message><StackTrace>
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.StartInnerReceive()
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.Start()
at System.Runtime.ActionItem.DefaultActionItem.TraceAndInvoke()
at System.Runtime.ActionItem.CallbackHelper.InvokeWithoutContext(Object state)
at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)</StackTrace><ExceptionString>System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---&gt; System.InvalidOperationException: ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement,  or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token)
   at System.ServiceModel.Security.WrappedSaml2SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
   at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, TimeSpan timeout)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)
   --- End of inner exception stack trace ---</ExceptionString><InnerException><ExceptionType>System.InvalidOperationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement,  or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.</Message><StackTrace>
at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token)
at System.ServiceModel.Security.WrappedSaml2SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)</StackTrace><ExceptionString>System.InvalidOperationException: ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement,  or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token)
   at System.ServiceModel.Security.WrappedSaml2SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
   at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, TimeSpan timeout)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)</ExceptionString></InnerException></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent>

In the process of porting our .NET 3.51 WIF/WCF token issuer and relying party to 4.5.

I can't seem to find the WSTrustServiceHostFactory in .NET 4.5?   Where did it go?  What was it replaced with?

This is our old WIF 3.51 web.config serviceAction code (web.config)

<serviceActivations><!-- 
        Thie following line associates the /sts.svc Url with the WSTrustServiceHostFactory and MyTokenIssuerFactory (See WSTrustServiceHost constructors more detail).
        When a request comes in for /sts.svc the WSTrustServiceHostFactory will handle the request by instantiating MyTokenIssuerFactory which will instantiate MyTokenIssuer.
        If you need more complex startup logic, you can write your own servicehost implementation that inherits from WSTrustServiceHostFactory.
        --><add relativeAddress="sts.svc" factory="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory" service="CT.Acme2.Services.Wcf.Api.Hosts.Partner.TokenIssuer.Impl.MyTokenIssuerFactory"/></serviceActivations>

Hi,

I need to create application that provide user to use username and password based on our CAS (central authentication service) in my university. So when user try to access my application, they will redirect to ourCAS to provide username and password and once their username password  is correct, they can access my application.

How can I approach this goal? Is that correct that I need to use Windows Identity Foundation?

Is there step by step tutorial for this? Because I'm very new on this. Many thanks :)

Many Thanks

I have a situation where I may need to rename the server that runs ADFS 2.0.  This server is setup as a stand-alone server and uses the Windows Internal Database.  I can't seem to find anything on this, and am curious if there is any advice or steps?  Please note that I don't plan on changing the URL just the physical server name.

Thanks in advance

Jeremy

Hi,

I have spent few days to build simple WCF Service with claims based authentication without success :/

Lastly I was trying to run Exercise 2: Accepting Tokens from an Active Directory Federation Services (ADFS) STS. Because the ADFS using in this example is not working now, I have install my own. After many tries (mostly modifying config files and using different certificates):

1. my client successfully is asking my ADFS
2. ADFS is creating correct token
3. this token is send to WCF service
4. message is refused by service

Event log:

Message authentication failed.
 Service: http://weather.moss2010dev.local/WeatherStationService/Service.svc
 Action: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
 ClientIdentity:
 ActivityId: <null>
 MessageSecurityException: The primary signature is not signed with a derived key. The binding's primary token parameter 'System.ServiceModel.Security.Tokens.SslSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: True
RequireCancellation: True
RequireClientCertificate: False' requires key derivation.

Before this I have received following error:

 MessageSecurityException: The supporting signature is not signed with a derived key. The binding's supporting token parameter 'System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters:

But I have turned off RequireDerivedKeys in config file.

Service config file:

<?xml version="1.0"?><configuration><configSections><section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /></configSections><location path="FederationMetadata"><system.web><authorization><allow users="*" /></authorization></system.web></location><system.web><compilation debug="false" targetFramework="4.0"><assemblies><add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /></assemblies></compilation></system.web><system.serviceModel><services><service name="WeatherStationService.Service" behaviorConfiguration="ServiceBehavior"><endpoint address="http://weather.moss2010dev.local/WeatherStationService/Service.svc" 
                  binding="ws2007FederationHttpBinding" contract="WeatherStationService.IService" bindingConfiguration="WeatherStationService.IService_ws2007FederationHttpBinding" /></service></services><behaviors><serviceBehaviors><behavior name="ServiceBehavior"><serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true" /><federatedServiceHostConfiguration name="WeatherStationService.Service" /><serviceMetadata httpGetEnabled="true" /><serviceDebug includeExceptionDetailInFaults="true" /><serviceCredentials><!--Certificate added by FedUtil.  Subject='CN=DefaultApplicationCertificate', Issuer='CN=DefaultApplicationCertificate'.--><serviceCertificate findValue="CD138CB21E99AF0776DE185B80CD5BE00487DE14" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" /></serviceCredentials></behavior></serviceBehaviors></behaviors><bindings><ws2007FederationHttpBinding><binding name="WeatherStationService.IService_ws2007FederationHttpBinding"><security mode="Message" ><message ><issuerMetadata address="https://adfsiis.moss2010dev.local/adfs/services/trust/mex"  /><claimTypeRequirements><add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" /><add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" /><add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" /></claimTypeRequirements></message></security></binding></ws2007FederationHttpBinding></bindings><serviceHostingEnvironment multipleSiteBindingsEnabled="false" /><extensions><behaviorExtensions><add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /></behaviorExtensions></extensions></system.serviceModel><system.webServer><modules runAllManagedModulesForAllRequests="true" /></system.webServer><microsoft.identityModel><service name="WeatherStationService.Service"><certificateValidation certificateValidationMode="None" /><audienceUris><add value="http://weather.moss2010dev.local/WeatherStationService/Service.svc" /><add value="http://weather/WeatherStationService/Service.svc" /><add value="https://weather.moss2010dev.local/WeatherStationService/Service.svc" /></audienceUris><issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><trustedIssuers><add thumbprint="AFB645D735E7E67CC2EE261D217139A15D7560C6" name="http://ip-sts-01.federatedidentity.net/adfs/services/trust" /><add thumbprint="04EEBA736436AD0F24DCC620D1BD69CF53083F89" name="http://adfsiis.moss2010dev.local/adfs/services/trust" /></trustedIssuers></issuerNameRegistry></service></microsoft.identityModel><appSettings><add key="FederationMetadataLocation" value="https://adfsiis.moss2010dev.local/FederationMetadata/2007-06/FederationMetadata.xml" /></appSettings><system.diagnostics><sources><source name="Microsoft.IdentityModel" switchValue="Verbose"><listeners><add name="wif" /></listeners></source><source name="System.ServiceModel" switchValue="Verbose"><listeners><add name="wcf" /></listeners></source></sources><sharedListeners><add name="wcf" type="System.Diagnostics.XmlWriterTraceListener" initializeData="C:\temp\logs\server\ClientWeatherServiceWCF.svclog" /><add name="wif" type="System.Diagnostics.XmlWriterTraceListener" initializeData="C:\temp\logs\server\ClientWeatherServiceWIF.svclog" /></sharedListeners><trace autoflush="true" /></system.diagnostics></configuration>

Client config:

<?xml version="1.0" encoding="utf-8" ?><configuration><system.serviceModel><bindings><customBinding><binding name="WS2007FederationHttpBinding_IService"><security defaultAlgorithmSuite="Default" authenticationMode="SecureConversation" enableUnsecuredResponse="true"
                    requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
                    keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                    messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                    requireSecurityContextCancellation="false" requireSignatureConfirmation="false"><localClientSettings cacheCookies="true" detectReplays="true"
                      replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" 
                      replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                      sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                      timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /><localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" 
                      maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                      negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                      sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                      reconnectTransportOnFailure="true" maxPendingSessions="128"
                      maxCachedCookies="1000" timestampValidityDuration="00:05:00" /><secureConversationBootstrap defaultAlgorithmSuite="Default" enableUnsecuredResponse="true" 
                      authenticationMode="IssuedTokenForSslNegotiated" requireDerivedKeys="false"
                      securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy"
                      messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                      messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                      requireSecurityContextCancellation="false" requireSignatureConfirmation="true"><issuedTokenParameters keyType="AsymmetricKey" tokenType="" ><issuer address="https://adfsiis.moss2010dev.local/adfs/services/trust/13/usernamemixed" 
                              bindingConfiguration="https://adfsiis.moss2010dev.local/adfs/services/trust/13/usernamemixed" 
                              binding="ws2007HttpBinding"></issuer><issuerMetadata address="https://adfsiis.moss2010dev.local/adfs/services/trust/mex" /></issuedTokenParameters><localClientSettings cacheCookies="true" detectReplays="true"
                        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
                        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /><localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" /></secureConversationBootstrap></security><textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                    messageVersion="Default" writeEncoding="utf-8"><readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                      maxBytesPerRead="4096" maxNameTableCharCount="16384" /></textMessageEncoding><httpTransport manualAddressing="false" maxBufferPoolSize="524288" 
                    maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                    bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
                    keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                    realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                    useDefaultWebProxy="true" /></binding></customBinding><ws2007HttpBinding><binding name="https://adfsiis.moss2010dev.local/adfs/services/trust/13/usernamemixed" ><security mode="TransportWithMessageCredential"><message clientCredentialType="UserName" establishSecurityContext="false" /></security></binding></ws2007HttpBinding></bindings><client><endpoint address="http://weather.moss2010dev.local/WeatherStationService/Service.svc"
                binding="customBinding" bindingConfiguration="WS2007FederationHttpBinding_IService"
                contract="ServiceReference1.IService" name="WS2007FederationHttpBinding_IService"><identity><dns value="DefaultApplicationCertificate"/><!--<certificate encodedValue="AwAAAAEAAAAUAAAApiO8/Q2OkkbeTyt9Z0A7Z8kJ0jsgAAAAAQAAABYCAAAwggISMIIBf6ADAgECAhBXl7Mu5iSmnk5lQEc0nLp6MAkGBSsOAwIdBQAwIDEeMBwGA1UEAxMVV2VhdGhlclN0YXRpb25TZXJ2aWNlMB4XDTAwMDEwMTAzMDAwMFoXDTM2MDEwMTAzMDAwMFowIDEeMBwGA1UEAxMVV2VhdGhlclN0YXRpb25TZXJ2aWNlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzjz0g7niGRkTs3GfIAuLoWNznsqW/06nCZh5y12tOCHIVIrci4Dy+rfgWQ3o6Uzz97GVuVH0Il6TqgV9Qjz62Y+XcSlmnAH5oMDKDhebdyPdhKxVSQYnEnjWdiOU2G6TjFdMRN1nG5wTKUTeL1Eu/enxFancj//kQAeb4268xIwIDAQABo1UwUzBRBgNVHQEESjBIgBBfBE4WY9hQAaZk6TRHjA2noSIwIDEeMBwGA1UEAxMVV2VhdGhlclN0YXRpb25TZXJ2aWNlghBXl7Mu5iSmnk5lQEc0nLp6MAkGBSsOAwIdBQADgYEApwU/uVeKQ0jGRaHhlLu7QgXTRwA82pOlscB0WHWdD1IMTO41f94EKNjBIIDRymJkmxl9uEM8Ux8ygu4S33gAY9UKX8i8pqHgryAZOrnRBv6qTquHbap7pxwhlgzMhJziJW34dQ/mgKAeftd3KJW1MWSfW3R7v6JAwz1VcN20I8A=" />--></identity></endpoint></client></system.serviceModel><system.diagnostics><sources><source name="Microsoft.IdentityModel" switchValue="Verbose"><listeners><add name="wif" /></listeners></source><source name="System.ServiceModel" switchValue="Verbose"><listeners><add name="wcf" /></listeners></source></sources><sharedListeners><add name="wcf" type="System.Diagnostics.XmlWriterTraceListener" initializeData="C:\temp\logs\client\ClientWeatherServiceWCF.svclog" /><add name="wif" type="System.Diagnostics.XmlWriterTraceListener" initializeData="C:\temp\logs\client\ClientWeatherServiceWIF.svclog" /></sharedListeners><trace autoflush="true" /></system.diagnostics></configuration>

Hi,

We develop an enterprise web application and have a requirement to support SAML 2.0  IDP Initiated SSO.

To support this we are looking at using a corporate STS for clients we host ourselves. We also have self-hosted and hosted clients which still require Forms Authentication.

This is where I have a problem as from my reading on WIF and CBA these cannot coexist.

If this is the case and these cannot coexist then we may need to look at incorporating a SAML Toolkit in our application to support the SAML SSO requirement but wanted to query the Forms\CBA scenario here first.

Regards,

Lastbuilders

Hello!

I have a ADFS testing environment based on this guide

http://technet.microsoft.com/en-us/library/dd378921(v=ws.10).aspx

The federation functions so far. But I don't understand the thing with group claim extraction and the incoming and outgoing group claim mappings.

I thought, only the members of the security group what I defined in the group claim extraction have access to the web application in the ressource domain. But instead every user who is authenticated to the account domain have access to the wep application.

What must I do that only the members of the group in the group claim extraction have access to the web app?

Greetings Barbara

Hi guys,

We are running ADFS 2.0 on Win2008r2 and have (2)adfs proxy servers and (2)adfs servers. We do have a load balancer for both sets, and we can take both a proxy server and an adfs server offline to make changes on them without downtime.  We are changing out the SSL(Service Communications) cert with a new Verisign cert that does have a different certificate chain.  We are using a CSR to get the cert on one and then export it to the others.  I was thinking that since the cert does look to be included in the adfs metadata database and since we are using a different certificate chain, that I should ask for a couple of hours of downtime.  Downtime is tough for us as we do have operations in Europe.  Not sure if my clients have that Verisign certificate chain or not and we do have some older WinXP clients and also a few Macintosh clients(not primary concern) that might have issues, so I was going to test as well and push the chain through AD to Windoiws clients, if needed. Can I make those changes without asking for downtime?  Let me know what you guys think.

I have read the instructions below, but my concern is the downtime.  We also have already changed out our token-signing certs and I am only concerned about the SSL side. We are running a Powershell script on our ADFS servers which should push our certificate changes, on our database, up to the Office365 cloud.- http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx

Thanks,

Dan

Dan Heim

Has anyone integrated WIF with Imprivata SSO?

scptt

Dan Heim