Debugging ADFS 2.0 errors - wif

I am trying to get a SAML 2.0 token from an ADFS 2.0 ws-trust service using C#. The popular sample is this one http://leastprivilege.com/2012/11/16/wcf-and-identity-in-net-4-5-external-authentication-with-ws-trust/. However, this sample uses a UserNameWSTrustBinding which, according to this article http://msdn.microsoft.com/en-us/library/jj157091.aspx, did not make the jump to the System.IdentityModel namespace for 4.5.
I have been experimenting with this sample and some variants that I have found, but so far, the only results that I can get are a variety of error messages. I am wondering if there is any good way to debug the latest one, "The request for security token has invalid or malformed elements.". I turned on WCF logging on and determined that this message is being returned as a fault by the ADFS service.
Reviewing the AD FS 2.0/Admin events on the ADFS server, there is no indication of an error. Several posts indicate that this is common in an ADFS farm environment, but mine is a simple single server configuration.
Does anyone have a good way to diagnose this? Or, is there a good sample that comes with any configuration requirements on the ADFS server side?

This link http://social.msdn.microsoft.com/Forums/en/Geneva/thread/33fc091b-505c-481c-a61c-a8541a5ccf23 shows how to enable WCF and WIF tracing for the server side of ADFS 2.0. Modify the config file at C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config. (Change the three switchValue settings to Verbose and modify the trace listeners.) While following the instructions, make sure to change the types on the listeners. Something like
<add name="ADFSWifListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="c:\logs\adfs1.svclog" />
I also had to grant "Everyone" full access to the C:\Logs folder, you can refine those permissions with auditing if you like. Once the .svclog files have been created, they can be viewed with SvcTraceViewer.exe in %ProgramFiles%/Microsoft SDKs/Windows/v8.0A/bin/NETFX 4.0 Tools (or any other SDK version probably).
NOTE: Microsoft will not support the notion of logging trace data directly to a file, so you will want to turn this off or configure according to this article http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(WS.10).aspx for a production deployment.

Related

WebAuthn Issue Due to Split Architecture

I am currently developing in a standalone (Not .Net Core Hosted) Blazor WebAssembly app in .Net 5.0. I have been trying to convert a couple Asp.Net MVC WebAuthn examples over into my Blazor app for Passwordless Authentication.
The issue I am experiencing now is due to this app's architecture since it is not a Blazor Server app. The Asp.Net MVC example I am following has everything including the client hosted on the server whereas my app is split Web Client/ Web API architecture.
So far however, I have managed to get most of the way through these differences but now the issue I am having is in the last functionality of registering the credential with the server within the Make Credential request of the Fido2NetLib Library. on line:
// 2. Verify and make the credentials
var success = await _lib.MakeNewCredentialAsync(attestationResponse, options, callback);
I am receiving an error saying: "Origin https://localhost:44325 not equal to original origin https://localhost:44309". Now of course this is a dev environment but it will be exactly the same in production as the API and the client are hosted in two different domains.
Any ideas would be greatly appreciated. I am hoping I can "white list" certain domains?
WebAuthn defines the origin to be the fully qualified origin. Per referenced RFC6454, this is the tuple of scheme, host, and port. You can't go breaking the rules without deviating from the standard.
WebAuthn gels very well with using a separate identity provider (e.g. something Open ID Connect/IdentityServer4-based) as the origin that deals with credentials will always be the same regardless of the relying parties involved.

Does Ping Identity set any environment variable containing the username of the person logged in?

I am trying to use this username in my code but I do not know if it is provided in the environment variables. Thanks!
Additional information: I am using using PingFederate and Ping One.
My website is based on C sharp and it used to get the windows environment variable for username. now I want it changed to the user logged in through ping identity.Is it possible to do so and in that case which SDK should I get (I am assuming the .net integration kit right?)?
As a .NET hosted application on IIS, your application would be considered the Service Provider (SP). In this architecture PingFederate is the Identity Provider (IdP). This is a brokered authentication design pattern, or more commonly known as Single Sign-On (SSO). When PingFederate authenticates the user, a token is sent to your application that would contain the username. The code (or library) within your application would process the token and then read out the username.
Here’s a list of options that you could pursue to solve your problem:
WS-Federation protocol using the Windows Identity Foundation (WIF) libraries. The config on the PingFederate side is very simple, and you just have to integrate the WIF libraries on your side. Once the WIF libraries and associated web.config configuration is established, you read the claims object passed to your application.
OpenID Connect (OIDC) protocol using the OWIN middleware. This is also a native MS solution that leverages an open standard. It will require that you have some understanding of OWIN/Katana, as examples are not exactly exhaustive online. PingFedeate supports the OIDC protocol, which is also a very straight forward configuration.
PingFederate Agentless Integration Kit. The integration kit is installed on PingFederate and is easy to configure. It is essentially a REST interface between PingFederate and your application to provide a JSON object with the identity information including username. Your application would need to implement the REST APIs to PingFederate.
PingFederate .NET Integration Kit. This solution implements the PingFederate Opentoken solution for exchanging attributes between your app and PingFederate. The .NET code libraries for handling the Opentoken are provided to you by the integration kit, you just have to integrate them into your code baseline along with about 10 lines of code to read the OpenToken to get username. Configuration on PingFederate is simple.

What role does FederationMetadata.xml play in WIF?

I'm trying to develop an authentication plugin for an ASP.NET MVC3 application that would use WIF for authentication. Since it's a plugin with an in-system configuration, I avoid touching the web.config file of the app or anything else. I've got it working, but now I'm trying to specify what claims the STS should send my app, and it seems that FederationMetadata.xml is involved, but I cannot find confirmation of that. In fact, I cannot find any information on this enigmatic file at all. What is it?
FederationMetadata tells potential relying parties what information the STS provides.
Your claims should be detailed in the EntityDescriptor/RoleDescriptor/fed:ClaimTypesOffered section
See http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0.aspx
FederationMetadata is a 2 way exchange. It is used to tell the Identity Provider WHAT claims you require and the Identity Provider can use the metadata to tell your application WHAT claims it offers by default.
This way you can ensure your application has all the claims support it requires when integrating with differing identity providers.

WIF SessionAuthenticationModule not executing correctly

I have an odd situation occurring that I am trying to diagnose and would appreciate any advice on where to look.
I have an ASP.NET application using WIF that contains another ASP.NET application as a child in IIS 7.5. This child application contains a REST based web service. Accessing this service directly by pasting a URL into a browser will redirect to an ADFS sign in page. This is how I expect it to work. The odd part is that I have a second environment with the same applications and service deployed, and in this environment I am never redirected to the sign in page.
I have checked that all web.config files are identical, and also checked all IIS settings that I thought might be related. Browsing to web pages on the second environment requires a login, but not when browsing directly to the REST .svc file. I checked all HttpModules and Handler Mappings in IIS. I also enabled tracing of Microsoft.IdentityModel events and on the first environment can see a basic entries for a redirect to the STS. On the second environment I don't see any WIF events. The SessionAuthenticationModule appears to be called when I examine the data flow using IIS failed event tracing, but am not sure why it isn't requiring authentication.
I am familiar with cookie related issues with WIF and made sure that all cookieHandler settings were correct. I also closed browser windows and cleared all cookies to make sure the SessionAuthenticationModule wasn't seeing previous WIF cookies.
If you can think of anything else I should check please let me know.
If you have the same application in two separate environments bound to the same instance of ADFS, the URL's must be different so I am puzzled by the statement "all web.config files are identical"?
Have you tried re-running FedUtil on the application that doesn't work?
Also check AppPool settings.
After a lot of trial and error and carefully examining the applicationHost.config files between the two servers I found out this was caused by a difference in the ordering of HTTP handlers. The ExtensionlessUrl-Integrated-4.0 handler was picking up the request on one server and redirecting to ADFS. On the other server the svc-Integrated-4.0 handler was responding to the request first. You can read more about this behavior here: http://support.microsoft.com/kb/2520479

Using OAuth in free/open source software

I'm now reading some introduction materials about OAuth, having the idea to use it in a free software.
And I read this:
The consumer secret must never be
revealed to anyone. DO NOT include it
in any requests, show it in any code
samples (including open source) or in
any way reveal it.
If I am writing a free client for a specific website using OAuth, then I have to include the consumer secret in the source code, otherwise making from source would make the software unusable. However, as it is said, the secret should not be release along with the source.
I completely understand the security considerations, but, how can I solve this dilemma, and use OAuth in free software?
I thought of using an external website as a proxy for authentication, but this is very much complicated. Do you have better ideas?
Edit:
Some clients like Gwibber also use OAuth, but I haven't checked its code.
I'm not sure I get the problem, can't you develop the code as open source retrieve the customer secret from a configuration file or maybe leave it in a special table in the database? That way the code will not contain the customer secret (and as such will be "shareable" as open source), but the customer secret will still be accessible to the application.
Maybe having some more details on the intended platform would help, as in some (I'm thinking tomcat right now) parameters such as this one can be included in server configuration files.
If it's PHP, I know a case of an open source project (Moodle), that keeps a php (config.php) file containing definitions of all important configurations, and references this file from all pages to get the definition. It is the responsibility of the administrator to complete the contents of this file with the values particular to that installation. In fact, if the application sees that the file is missing (usually on the first access to the site) it will redirect to a wizard where the administrator can fill the contents in a more user friendly way. In this case the customer secret will be one of these configurations, and as such will be present in the "production" code, but not in the "distributable" form of the code.
I personally like the idea of storing that value in the database in a table designed for it and possibly other parameters as the code needs not be changed. Maybe a installation wizard can be presented here ass well in the case the values do not exist.
Does this solve your problem?
If your service provider is a webapp, your server needs consumer signup pages that provides the consumer secret as the user signs up their consumer. This is the same process Twitter applications go through. Try signing up there and look at their workflow, you'll have all the steps.
If your software is peer-to-peer, each application needs to be both a service provider and a consumer. The Jira and Confluence use cases below outline that instance.
In one of my comments, I mention https://twitter.com/apps/new as the location of where Twitter app developers generate a consumer secret. How you would make such a page depends on the system architecture. If all the consumers will be talking to one server, that one server will have to have a page like https://twitter.com/apps/new. If there are multiple servers (i.e. federations of clients), each federation will need one server with this page.
Another example to consider is how Atlassian apps use OAuth. They are peer-to-peer. Setting up Jira and Confluence to talk to one another still has a setup page in each app, but it is nowhere near as complex as https://twitter.com/apps/new. Both apps are consumers and service providers at the same time. Visiting the setup in each app allows that app to be set up as a service provider with a one-way trust on the other app, as consumer. To make a two-way trust, the user must visit both app's service provider setup page and tell it the URL of the other app.

Resources