Get the issuer of a SamlSecurityToken - wif

I have a WIF RP, with multiple trusted issuers configured, e.g:
<trustedIssuers>
<add thumbprint="..." name="Issuer1" />
<add thumbprint="..." name="Issuer2" />
</trustedIssuers>
I'm trying to get hold of which particular issuer a token came from. I was hoping the IssuerNameRegistry.GetIssuerName(...) would do the trick, but it seems to return null unless the supplied token is a an X509SecurityToken.
In the WSFederationAuthenticationModule's SecurityTokenReceived event I observe the following;
The received SamlSecurityToken exposes a SamlAssertion which has a private field _issuerToken, of type X509SecurityToken.
So, the information is there it seems, I'm just not able to get hold of it.
In short, how do I figure out which trusted issuer issued the token? Any help appreciated.
PS! I'm aware that the token has not yet been validated in the SecurityTokenReceived event. I would preferably get this information after the token has been validated.

If I remember correctly, the ClaimsPrincipal has an Issuer property. That might be easier (look in the Identity property (don't have a machine with me right now and can't verify).

Thanks Eugenio, you pointed me in the right direction. Turns out the issuer is included in the claim, in the Claim.Issuer Property, which makes perfect sense when you think about it — you might have claims from different issuers.
So with the example config:
<trustedIssuers>
<add thumbprint="..." name="Issuer1" />
<add thumbprint="..." name="Issuer2" />
</trustedIssuers>
The Claim.Issuer property returns "Issuer1" if the claim came from "Issuer1".
Thanks guys.

Have you looked at the other version with the single parameter (http://msdn.microsoft.com/en-us/library/ee747522.aspx)?
It's an abstract method so you'd need to get the concrete version defined by whatever is in the web.config.

Related

Best approach to intermittent "the nonce was null" error

I have an ASP.NET application that validates the user using a separate identity provider (using the OpenID Connect protocol.)
Users are complaining of an itermittent error:
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
Users experience this error, then discover if they try the login process again it works.
I can reproduce this error by initiating the login process, and while on the identity provider page, clearing the cookie prefixed with OpenIdConnect.nonce.
The error messages suggests setting OpenIdConnectProtocolValidator.RequireNonce to false. I believe this to be an unsatisfactory solution, because it would make the site vulnerable to replay attacks.
Is there a "best practice" way for the website to gracefully deal with this error?
Sometimes the inelegant solution is all you need.
I just display an error, and ask the user to try again.
I suspect the typical user will read the words "Sign In Error", read half of the first sentence, and then click on the button without a second thought.
We thought ours was an intermittent problem but it turned out to be just links coming from Office applications like Word, Excel, PowerPoint. I added a rewrite rule to the web.config file and the error immediately went away:
<rule name="WordBypass" enabled="true" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_USER_AGENT}" pattern="Word|Excel|PowerPoint|ms-office" />
</conditions>
<action type="CustomResponse" statusCode="200" statusReason="Refresh" statusDescription="Refresh" />
</rule>

Servicestack MySql connection string

I'm trying to figure out how to create a connection string in Servicestack for (in this case) MySql.
The question is: what is the connection string in Web.config supposed to look like ?
I stumbled on two ways:
1)
<appSettings>
<add key= "ConnectionString"
value= "Uid={User};
Password={Password};
Server= {EndpointUrl};
Port= {EndpointPort};
Database= customers" />
</appSettings>
and
2)
<connectionStrings>
<add name="testDb"
connectionString=
"Server= localhost;
Database= test;
UID= root;
Password= test"
providerName="MySql.Data.MySqlClient" />
</connectionStrings>
The question above is due to the fact that I have had a hard time to find an answer to this (apparently trivial) question. The answers I find are usually answering more complicated problems.
The Servicestack dokumentation looks like it's tuned to a rather more experienced audience than myself. Not by much but just, I'm a rookie at this.
This is a general problem I guess, in any documentation of a system. It's easy to go blind when it comes to fundamentals. What's self-evident to me is complicated for the next person.
A connection string should contain your database connection in a single string, this is an example of a MySql connection string to the “test” database on “localhost”:
Server=localhost;Database=test;UID=root;Password=test;SslMode=none
You can use this as a template and replace it with the parameters with your database info.
You can add this in your web.config with:
<add key="ConnectionString"
value="Server=localhost;Database=test;UID=root;Password=test;SslMode=none" />
Which you can then access with ServiceStack's AppSettings API:
container.Register<IDbConnectionFactory>(c => new OrmLiteConnectionFactory(
AppSettings.GetString("ConnectionString"), MySqlDialect.Provider));

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry

I am trying to implement a Simple STS web site alongside my MVC application in a development environment. I was able to get this working properly on my local machine. I would navigate to my MVC app, kicked out to the STS web application, I login, then am redirected back to my MVC app. This is not using AFDS by the way.
When I migrated this to my Development environment, I see similar activity but I get the error below when I login. I have checked about 20 times that my thumbprint in the MVC app is the exact same as the cert.
(The login is working fine as I don't get redirected until the authentication succeeds.)
Any guesses?
Error message I recieve:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer
web.config from STS website:
<appSettings>
<add key="IssuerName" value="STSTestCert"/>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value=""/>
</appSettings>
web.config from MVC application:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:57543/mySTS/" realm="http://localhost/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'http://localhost:57543/mySTS/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="‎11111" name="http://localhost:57543/mySTS/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
Copying your thumbprint adds hidden unicode characters. Try typing it in.
As MJCoffman mentioned it is most probably because you copied the thumbprint with hidden character. You can find more details here.
In my case the problem was also that copying the thumbprint and pasting it was adding some characters that a regular text editor do not show. I found the following instructions very useful to remove the special characters (look #4). posted by Edwin Guru Singh
Do this to get rid of the special characters using Visual Studio:
Close the web.config
Right-click on it and open it with binary editor
Find where the thumbprint is and delete additional characters (everything that is not a number, usually dots).
Save and try again, it should work.

Deploying MVC 4 CodeFirst to Azure

I'm trying a 90 day free trial of azure. It is super easy to deploy/publish the website and create the database, but for some reason my tables are not being created in the database. I'm using entity framework 4.4(i believe) and code first migrations. I've read that azure uses its own connection string, but I went ahead and changed my connection strings as well. I Spent hours on this and I can't figure out what is wrong and why my tables are not being created. I deploy website, enable-migrations, add-migration, update-database, then publish with checking the checkbox for code-first. Maybe my connection string is wrong? Any help is greatly appreciated.
In 'MyProject.Web' web.config:
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=4.4.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=tcp:n98my***.database.windows.net,1433;Initial Catalog=slutips_db;User Id=****;Password=****;" />
</connectionStrings>
Then in 'MyProject.Data' app.config, where my datacontext.cs is held:
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
<contexts>
<context type="SeluCmpsTutorials.Data.DataContext">
<databaseInitializer type="System.Data.Entity.MigrateDatabaseToLatestVersion">
<parameters>
<parameter value="slutips_db"/>
</parameters>
</databaseInitializer>
</context>
</contexts>
</entityFramework>
Also I noticed even though all my connection strings are changed, when I add-migration and update-database, it still using the ./sqlexpress local database, how is that possible?
key gotcha to be aware of regarding sql azure connections: for userid it actually usually needs to be user id # server name - do would read youruserid#n98my*** in the connectionstring.
Also, not sure if you need the "tcp:" (not using it) and you may also want to add providerName="System.Data.SqlClient"
Does your db user have necessary permissions for database modification ?
How did you set up your user ?
Initially you should create login for Azure sql server, sometihing like this:
(execute following sql on your server master database, replace angle-brackets values with actual values)
CREATE LOGIN [<SomeServerLogin>] WITH PASSWORD=N'<somepassword>'
Then connect to your slutips_db database as admin and execute following sql
CREATE USER [<slutips_db_user>] FROM LOGIN [<SomeServerLogin>];
GO;
EXEC sp_addrolemember 'dbmanager', '<slutips_db_user>';
GO;
EXEC sp_addrolemember 'loginmanager', '<slutips_db_user>';
GO;
'dbmanager' role allows table creation\management.
'loginmanager' role enables creation of another users in current database (your slutips_db_user will be allowed to execute CREATE USER <slutips_db_user1> FROM LOGIN <SomeServerLogin1> clause
Edit1: Also - ensure that your connection string user have user#n98my*** (user#server) format.
If you follow this tutorial: https://www.windowsazure.com/en-us/develop/net/tutorials/web-site-with-sql-database/ It'll show you how to connect Visual Studio (2012 in the example, not sure if works for any others) with Azure - basically you want to log into the portal, and download the publishing credentials. This will contain your database connection string, which you can then use to push code first migrations up to Azure.
What it looks like you've done is manually added in properties to the app.config yourself. The way the publish works, it defines a local version in your .config file like thus:
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
<parameters>
<parameter value="v11.0" />
</parameters>
</defaultConnectionFactory>
Then, when you publish, VS will auto-magically insert the required stuff into your .config - if I go and FTP to my web site and look at the generated .config file, you see this:
<contexts>
<context type="Web_App.Models.TrackSafeDb, Web App">
<databaseInitializer type="System.Data.Entity.MigrateDatabaseToLatestVersion`2[[Web_App.Models.TrackSafeDb, Web App], [Web_App.Migrations.Configuration, Web App]], EntityFramework, PublicKeyToken=*******************">
<parameters>
<parameter value="Web_App.Models.TrackSafeDb_DatabasePublish" />
</parameters>
</databaseInitializer>
</context>
</contexts>
So I'd try removing the extraneous stuff from your local app.config and re-publishing
Try adding encryption to your connection string...
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=tcp:n98my***.database.windows.net,1433;Initial Catalog=slutips_db;User Id=****;Password=****;Integrated Security=False;Persist Security Info=True;Encrypt=True" />
</connectionStrings>
what i did was go to my azure management portal.
clicked on databases.
went view connection strings and then copied those directly into my relevant config.
in my case its "release" config.
make sure that the web config transformations are enabled and working correctly.
also make sure you've enabled firewall access to each of the db's...
you have to click "enable connection through firewall" or something similar.
its in the db options on the portal.
After seeing this question for a few days, a couple of thoughts. First, is the name of your context is infact DefaultConnection. Entity Framework (in order to be used with the parameterless constructor) likes the connection string name to match the name of the context.
For instance, if your declare a new context variable as such:
var context = new MyEntities();
Then your connection string should be called MyEntities
<connectionStrings>
<add name="MyEntities" connectionString="Data Source=tcp:n98my***.database.windows.net,1433;Initial Catalog=slutips_db;User Id=****;Password=****;" />
</connectionStrings>
Second, are you 100% sure that there are no web.config transformation files and/or that you also properly updated the connection strings in those files?
Third, remember that upon deployment, any configuration file other than the web.config is essentially ignored. The executing assembly is the web application, not the data project or any others. Any configurations relating to EF setup and deployment should be located in the web.config file (like the snippet that you have in your data app.config)
I had the exact same problem and it was linked to my password containing '%' character.
I checked the resulting web.config on Azure connecting with ftp and the part of my password containing '95%a' turned to '95ª' ... automagically. That might be a bug in the web deployment feature of azure, because the password was correct in my publish profile locally.
If indeed the resulting password to the DB is corrupted in the resulting connection string, you have to reset it :
From Windows Azure Management, in the SQL DATABASES tab, select the SERVERS list (not the DATABASE list) and click on your server
In the Dashboard, there is a link to reset the admin password
In visual studio, update the password in your publish profile's connectionString (Settings, Databases)
Make a change to the web.config (a real one, not a comment), or it won't be re-published
Publish, and on first use of the database, the migrations will be applied

Custom Saml2SecurityTokenHandler - The token Serializer cannot serialize

For the sake of simplicity, I've implemented the following class:
public class CustomUserNamePasswordValidatorSecurityTokenHandler : UserNameSecurityTokenHandler {}
And I've enabled it configuration (and enabled proper configSection):
<microsoft.identityModel>
<service>
<securityTokenHandlers>
<clear />
<add type="CustomUserNamePasswordValidatorSecurityTokenHandler" />
</securityTokenHandlers>
</service>
</microsoft.identityModel>
And performing an actual RP call against my STS yields (in service trace viewer):
The token Serializer cannot serialize 'Microsoft.IdentityModel.Tokens.SessionSecurityToken'. If this is a custom type you must supply a custom serializer.
If I comment out the configuration (so no token handler applys), everything works fine. How do I supply this custom serializer?
NOTE: There's a couple references to the issue in this thread however I don't see the resolution.
Removing the <clear /> on the securityTokenHandler section should suffice (I editied may answer on your other question accordingly, sorry).
<clear /> removes all by default registered handlers (e.g. for the SessionSecurityToken).

Resources