Single Sign On using ADFS v2

Posted by gvgvasgvsz vgzavzAvv on Wednesday, February 16, 2011

This is the universal identity problem – too many user accounts for the same person.  As such, one of my internal goals here is to simplify identity at ObjectSharp.
While working on another internal project with Salesforce i got to thinking about how it manages users.  It turns out Salesforce allows you to set it up as a SAML relying party.  ADFS v2 supports being a SAML IdP.  Theoretically we have both sides of the puzzle, but how does it work?
Well, first things first.  I checked out the security section of the configuration portal:
There was a Single Sign-On section, so I followed that and was given a pretty simple screen:
There isn’t much here to setup.  Going down the options, here is what I came up with:
SAML Version
I know from previous experience that ADFS supports version 2 of the SAML Protocol.

What is the URI of the IdP, which in this case is going to be ADFS?  Within the ADFS MMC snap-in, if you right click the Service node you can access the properties:

In the properties dialog there is a textbox allowing you to change the Federation Service Identifier:
We want that URI.
Within Salesforce we set the Issuer to the identifier URI.
Identity Provider Certificate
Salesforce can’t just go and accept any token.  It needs to only be able to accept a token from my organization.  Therefore I upload the public key used to sign my tokens from ADFS.  You can access that token by going to ADFS and selecting the Certificates node:
Once in there you can select the signing certificate:
Just export the certificate and upload to Salesforce.
Custom Error URL
If the login fails for some reason, what URL should it go to?  If you leave it blank, it redirects to a generic Salesforce error page.
SAML User ID Type
This option is asking what information we are giving to Salesforce, so it can correlate that information to one of their internal ID’s.  Since for this demo I was just using my email address, I will leave it with Assertion contains User’s username.
SAML User ID Location
This option is asking where the above ID is located within the SAML token.  By default it will accept the nameidentifier but I don’t really want to pass my email as a name so I will select user ID is in an Attribute element.
Now I have to specify what claim type the email address is.  In this case I will go with the default for ADFS, which is
On to Active Directory Federation Services
We are about half way done.  Now we just need to tell ADFS about Salesforce.  It’s surprisingly simple.
Once you’ve saved the Salesforce settings, you are given a button to download the metadata:
Selecting that will let you download an XML document containing metadata about Salesforce as a relying party.
Telling ADFS about a relying party is pretty straightforward, and you can find the detailed steps in a previous post I wrote about halfway through the article.
Once you’ve added the relying party, all you need to do is create a rule that returns the user’s email address as the above claim type:

More Here

More Single Sign On using ADFS v2

Using Simple Web Token (SWT) with WIF

Posted by gvgvasgvsz vgzavzAvv

SAML 1.1/SAML 2.0 is the default token format when using ACS as the authentication service for your website. In this model, your website talks to ACS using WS-Federation protocol and what it normally gets back is a Saml token. This scenarios is fairly straight-forward as WIF natively supports WS-Federation protocol & SAML1.1/SAML 2.0 token formats.
There are cases where you might want to return a Simple Web Tokens (SWT) after a successful authentication. For example, you might want to use this same SWT (available as a bootstrap token) to call other downstream REST/OData services as depicted in the following diagram.

ACS fully supports returning an SWT token after a successfully WS-Fed authentication but WIF currently doesn’t support SWT tokens. You would have to write a custom Security Token Handler for WIF to process SWT tokens coming back to your website. I have created some extensions which enables this and other OAuth WRAP related scenarios. Feel free to download the code from my SkyDrive.

More Here

More aboutUsing Simple Web Token (SWT) with WIF

Access Control Service Architectural Model

Posted by gvgvasgvsz vgzavzAvv

The Access Control Service is an easily configurable, cloud-based Security Token Service (STS) that supports the authentication of user name/password, Windows CardSpace, certificate, and third-party STS-issued SAML tokens and provides an authorization framework that uses flexible, claims-based rules. The Access Control Service uses the same basic architectural model for Web applications, Web services, and smart clients. In the basic scenario, there are three participants:

The Access Control Service STS.

An application that trusts the virtual Access Control Service STS (Relying Party).

The application that uses the Relying Party (Requester).

These participants interact with one another in the following manner, discussed in more detail in this section:

A trust relationship is established between the relying party and the Access Control Service STS. The owner of the relying party provides the Access Control Service STS with its certificate. This certificate is used by the Access Control Service STS to encrypt tokens that the relying party will accept.

Before the requester can use the relying party, the owner of the relying party application defines access control rules in the STS. These rules logically grant the requester access to the relying party.

The requester sends a WS-Trust 1.3-compliant Request for Security Token (RST) to the Access Control STS.

The Access Control STS receives the RST, and uses the input claims in the RST to initiate processing of the Access Control rules defined in that STS.

After Access Control rule processing, the Access Control STS packages the output into a SAML security token, signs the token, encrypts that token with the certificate provided in step 1, and sends the token back to the Requestor.

More Here

More aboutAccess Control Service Architectural Model

A Happy Valentine’s to All!

Posted by gvgvasgvsz vgzavzAvv on Sunday, February 13, 2011

From the desk of Leah Calnan, Director of Metro Property Management…

Although many of us think that Valentine’s Day was a holiday made up by the greeting card companies, chocolate companies and florists of this world, the history of Saint Valentine’s Day is quite interesting and dates back to Roman times. There are however quite a few different legends surrounding the day as you will read below but before you get started we thought we’d give you a few interesting facts about the day...

Did You Know …

- 141 million Valentine's Day cards are exchanged annually, making Valentine's Day the second-most popular greeting-card-giving occasion. (Hallmark Research)

- Over 50 percent of all Valentine's Day cards are purchased in the six days prior to the observance, making Valentine's Day a procrastinator's delight. (Hallmark Research) (Well we understand it can be a hard & very considered decision for some).

Saint Valentine’s Day History (Source

The history of Valentine's Day — and its patron saint — is shrouded in mystery. But we do know that February has long been a month of romance. St. Valentine's Day, as we know it today, contains vestiges of both Christian and ancient Roman tradition. So, who was Saint Valentine and how did he become associated with this ancient rite? Today, the Catholic Church recognizes at least three different saints named Valentine or Valentinus, all of whom were martyred.

One legend contends that Valentine was a priest who served during the third century in Rome. When Emperor Claudius II decided that single men made better soldiers than those with wives and families, he outlawed marriage for young men — his crop of potential soldiers. Valentine, realizing the injustice of the decree, defied Claudius and continued to perform marriages for young lovers in secret. When Valentine's actions were discovered, Claudius ordered that he be put to death.

Other stories suggest that Valentine may have been killed for attempting to help Christians escape harsh Roman prisons where they were often beaten and tortured.

According to one legend, Valentine actually sent the first "valentine" greeting himself. While in prison, it is believed that Valentine fell in love with a young girl — who may have been his jailor's daughter — who visited him during his confinement. Before his death, it is alleged that he wrote her a letter, which he signed "From your Valentine," an expression that is still in use today. Although the truth behind the Valentine legends is murky, the stories certainly emphasize his appeal as a sympathetic, heroic, and, most importantly, romantic figure. It's no surprise that by the Middle Ages, Valentine was one of the most popular saints in England and France.

Whatever it is you decide to do to celebrate the day we at Metro hope you have a great day (& get spoilt too).

Until next time…
More aboutA Happy Valentine’s to All!