Earlier this morning I got an email from John
Bristowe congratulating me on being selected to present a session for the local
flavours track at TechDays in Toronto!
This bumps
up my count to 2. Needless to say I am REALLY excited.
I was a little disappointed to find out there weren’t any sessions on the Windows
Identity Foundation, so that just meant I had to submit my own to the local flavours
track…and they accepted it! Here are the details:
October 27, 3:40 PM to 4:45 PM
Breakout | LFT330: Windows Identity Foundation Simplified: All the Scary Things
Made Un-Scary
The Windows Identity Foundation helps simplify user access for developers by externalizing
user access from applications via claims and reducing development effort with pre-built
security logic and integrated .NET tools. This presentation is an intimate discussion
on the basics of the Windows Identity Foundation and its claims model. In this session,
you’ll learn how to refactor an existing sample set of applications to use WIF, to
connect identities to the Cloud, and to remove the burden of managing multiple disparate
user stores.
Location: Metro Toronto Convention
Centre - South Building (255 Front Street West, Toronto)
Room: TBA
Rob Windsor and TVBUG are letting me present on
November 8th on Claims-Based Authentication and Identification. Here are the
details:
Location: Room 1, Library, 2nd floor, North York Public Library
Date: Monday, November 8, 2010
Time:
6:30 to 6:50 (Pizza - Meet and Greet)
6:50 to 7:00 (Group Business)
7:00 to 9:00 (Presentation)
Topic: Changing the Identity Game with the Windows Identity Foundation
Abstract: Identity is a tricky thing to manage. These days every application requires
some knowledge of the user, which inevitably requires users to log in and out of the
applications to prove they are who they are as well as keep a record of their accounts.
With the Windows Identity Foundation, there is a fundamental shift in the way we manage
these users and their accounts. In this presentation we will take a look at the why's
and dig into the how's of the Windows Identity Foundation by building an Identity
aware application from scratch.
Directions
All TVBUG meetings are held at the North York Public Library or North York
Memorial Hall. Both are located in the same building at Yonge Street and Park
Home Avenue (North of the 401 between Sheppard and Finch across from Empress Walk).
If you are taking the Subway get off at the North York Centre Station.
The library meeting rooms are on the 2nd Floor. Memorial Hall meeting rooms are on
the Concourse Level near the food court.
One of my ongoing projects is to dive deeply into Visual Studio Team Foundation Server
2010. TFS is pretty easy to get up and running, but as you get into some of
the advanced features like Build Services and Lab Management, it gets kind of tricky.
Luckily there’s a fair bit of guidance from our favorite blue badged company.
On the Lab Management Team Blog there
is a 4 part walkthrough on Getting Started with Lab Manager in TFS. Since they
are using the RC build of TFS, the walkthrough was pretty spot on to the RTM build.
Here is the walkthrough:
-
http://blogs.msdn.com/b/lab_management/archive/2010/02/16/getting-started-with-lab-management-vs2010-rc-part-1.aspx
-
http://blogs.msdn.com/b/lab_management/archive/2010/02/16/getting-started-with-lab-management-vs2010-rc-part-2.aspx
-
http://blogs.msdn.com/b/lab_management/archive/2010/02/16/getting-started-with-lab-management-vs2010-rc-part-3.aspx
-
http://blogs.msdn.com/b/lab_management/archive/2010/02/16/getting-started-with-lab-management-vs2010-rc-part-4.aspx
If you are looking for test code to try out deployments and testing check out part
3, as it contains a working project.
When SharePoint 2010 was developed, Microsoft took extra care to include support for
a claims-based identity model. There are quite a few benefits to doing it this
way, one of which is that it simplifies managing identities across organizational
structures. So lets take a look at adding a Secure Token Service as an Authentication
Provider to SharePoint 2010.
First, Some Prerequisites
-
You have to use PowerShell for most of this. You wouldn’t/shouldn’t be adding
too many Providers to SharePoint all that often so there isn’t a GUI for this.
-
The claims that SharePoint will know about must be known during setup. This
isn’t that big a deal, but…
Telling SharePoint about the STS
Once you’ve collected all the information you need, open up PowerShell as an Administrator
and add the SharePoint snap-in on the server.
Add-PSSnapin Microsoft.SharePoint.PowerShell
Next we need to create the certificate and claim mapping objects:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("d:\path\to\adfsCert.cer")
$claim1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
-IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$claim2 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
There should be three lines. They will be word-wrapped.
The certificate is pretty straightforward. It is the public key of the STS.
The claims are also pretty straightforward. There are two claims: the roles
of the identity, and the email address of the identity. You can add as many
as the STS will support.
Next is to define the realm of the Relying Party; i.e. the SharePoint server.
$realm = "urn:" + $env:ComputerName + ":adfs"
By using a URN value you can mitigate future changes to addresses. This becomes
especially useful in an intranet/extranet scenario.
Then we define the sign-in URL for the STS. In this case, we are using ADFS:
$signinurl = https://[myAdfsServer.fullyqualified.domainname]/adfs/ls/
Mind the SSL.
And finally we put it all together:
New-SPTrustedIdentityTokenIssuer -Name "MyDomainADFS2" -Description "ADFS
2 Federated Server for MyDomain" -Realm $realm -ImportTrustCertificate $cert
-ClaimsMappings $claim1,$claim2 -SignInUrl $signinurl -IdentifierClaim $claim2.InputClaimType
This should be a single line, word wrapped. If you wanted to you could just
call New-SPTrustedIdentityTokenIssuer and then fill in the values one at
a time. This might be useful for debugging.
At this point SharePoint now knows about the STS but none of the sites are set up
to use it.
Authenticating SharePoint sites using the STS
For a good measure restart SharePoint/IIS. Go into SharePoint Administration
and create a new website and select Claims Based Authentication at the top:
Fill out the rest of the details and then when you get to Claims Authentication
Types select Trusted Identity Provider and then select your STS.
In this case it is my ADFS Server:
Save the site and you are done. Try navigating to the site and it should redirect
you to your STS. You can then manage users as you would normally with Active
Directory accounts.
There are times when you need to question what you are doing, and why you are doing
it. Take for instance the “evercookie” at http://samy.pl/evercookie/.
I came across this when Kevin Dente posted
a link to it on Twitter.
The jist of it is to use all the available resources of the browser and it’s plugins
to create a truly persistent cookie across browser resets and cookie cleanups.
I’ll admit, it’s kind of a neat idea, but realistically, it will only be used for
bad. As Kevin said, no good can come of this.
Now, nothing is ever truly persistent when it comes to browsers. At some point
you can clean everything. The problem is the plugins. Flash is…well, I
hate Flash. It is an abomination. Then there is Silverlight. Plus
Java, and any plugin or ActiveX control that ties into the browser that stores data
locally.
While I could get into the privacy and security debate over all of this, what it really
boils down to is that it’s just really annoying. I don’t want websites keeping
persistent data on my machine if I don’t want them to. It’s my PC, not theirs.
So I’ve started work on a little script. It will clear cache of IE 7+ and delete
all persistent storage for Flash, Java, and Silverlight.
Keep in mind this will delete your history as well!
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
cd %appdata%
cd "Macromedia\Flash Player\"
rmdir "#SharedObjects" /S /Q
cd %appdata%
cd "Macromedia\Flash Player\macromedia.com\support\flashplayer\"
rmdir "sys" /S /Q
cd "C:\Program Files (x86)\Java\jre6\bin"
javaws -Xclearcache -silent -Xnosplash
cd "%userprofile%"
cd AppData\LocalLow\Microsoft\Silverlight"
rmdir "is" /S /Q
Now, I should also give a word of caution. This is by no means a sure-fire way
to protect your privacy. That’s pretty hard to do. This is only designed
to do a very simple cleanup of the usual suspects. If you are really wanting
to keep your browsing anonymous, turn off all plugins, turn off all scripting, and
run in InPrivate Browsing mode.
I’ll update the script as necessary over time.
Sometime last week I sent out an email to quite a few people:
As is the way of things in the tech industry, jobs change. More specifically,
mine.
Sometime around October 1st this email will be turned off as I am starting
a new position with ObjectSharp working with some of the brightest minds in Toronto.
If you need to get in touch with me after that date you can do it through a few channels.
My personal email is steve@syfuhs.net, which
gets checked more often than it should, and my O# email will be ssyfuhs@objectsharp.com.
Cheers
Steve Syfuhs, MCP
Soon to be ex-Software Developer / Database Analyst
Woodbine Entertainment Group
416.675.3993 Ext 2592
While I really enjoyed my job here at Woodbine (even though I complained about it
from time to time), it’s time for change and to move on to new opportunities.
Barry Gervin offered me such an opportunity and I start with ObjectSharp on October
1st. Bonus for starting on a Friday.
My role has many functions. Some internal; some external. Some loud; some…notsomuch.
Some cryptic. 
It sounds like it will be an amazing experience!
So… I leave you with this:
Active Directory Federation Services 2 has an amazing amount of power when it comes
to claims transformation. To understand how it works lets take a look at a set
of claims rules and the flow of data from ADFS to the Relying Party:
We can have multiple rules to transform claims, and each one takes precedence via
an Order:
In the case above, Transform Rule 2 transformed the claims that Rule
1 requested from the attribute store, which in this case was Active Directory.
This becomes extremely useful because there are times when some of the data you need
to pull out of Active Directory isn’t in a useable format. There are a couple
options to fix this:
-
Make the receiving application deal with it
-
Modify it before sending it off
-
Ignore it
Lets take a look at the second option (imagine an entire blog post on just ignoring
it…). ADFS allows us to transform claims before they are sent off in the token
by way of the Claims
Rule Language. It follows the pattern: "If a set of conditions is true,
issue one or more claims." As such, it’s a big Boolean system. Syntactically,
it’s pretty straightforward.
To issue a claim by implicitly passing true:
=> issue(Type = "http://MyAwesomeUri/claims/AwesomeRole", Value = "Awesome
Employee");
What that did was ignored the fact that there weren’t any conditions and will always
pass a value.
To check a condition:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
Value == "SomeRole"]
=> issue(Type = "http://MyAwesomeUri/claims/AwesomeRole",
Value = "AwesomeRole");
Breaking down the query, we are checking that a claim created in a previous step has
a specific type; in this case role and the claim’s value is SomeRole.
Based on that we are going to append a new claim to the outgoing list with a new type
and a new value.
That’s pretty useful in it’s own right, but ADFS can actually go even further by allowing
you to pull data out of custom data stores by way of Custom Attribute Stores.
There are four options to choose from when getting data:
-
Active Directory (default)
-
LDAP (Any directory that you can query via LDAP)
-
SQL Server (awesome)
-
Custom built store via custom .NET assembly
Let’s get some data from a SQL database. First we need to create the attribute
store. Go to Trust Relationships/Attribute Stores in the ADFS MMC Console (or
you could also use PowerShell):
Then add an attribute store:
All you need is a connection string to the database in question:
The next step is to create the query to pull data from the database. It’s surprisingly
straightforward. This is a bit of a contrived example, but lets grab the certificate
name and the certificate hash from a database table where the certificate name is
equal to the value of the http://MyCertUri/UserCertName claim type:
c:[type == http://MyCertUri/UserCertName]
=> issue(store = "MyAttributeStore",
types = ("http://test/CertName",
"http://test/CertHash"),
query = "SELECT CertificateName,
CertificateHash FROM UserCertificates WHERE CertificateName='{0}'", param = c.value);
For each column you request in the SQL query, you need a claim type as well.
Also, unlike most SQL queries, to use parameters we need to use a format similar to
String.Format instead of using @MyVariable syntaxes.
In a nutshell this is how you deal with claims transformation. For a more in
depth article on how to do this check out TechNet: http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx.
When you install an instance of Active Directory Federation Services v2, amongst other
things it will create a website within IIS to use as it’s Secure Token Service.
This is sort of fundamental to the whole design. There are some interesting
things to note about the situation though.
When Microsoft (or any ISV really) releases a new application or server that has a
website attached to it, they usually deliver it in a precompiled form, so all we do
is point IIS to the binaries and config files and we go from there. This serves
a number of purposes usually along the lines of performance, Intellectual Property
protection, defense in depth protection, etc. Interestingly though, when the
installer creates the application for us in IIS, it drops source code instead of a
bunch of assemblies.
There is a valid reason for this.
It gives us the opportunity to do a couple things. First, we can inspect the
code. Second, we can easily modify the code. Annoyingly, they don’t give
us a Visual Studio project to do so. Let’s create one then.
First off, lets take a look at what was created by the installer. By default
it drops the files in c:\inetpub\adfs\ls. We are given a few files and folders:
There isn’t much to it. These files only contain a few lines of code.
Next we create the actual project.
DISCLAIMER: I will not be held responsible if things break
or the server steals your soul. Please do NOT (I REPEAT) do NOT do this with
production servers please! (Notice I said please twice?)
Since we want to create a Visual Studio project, and since ADFS cannot be installed
on a workstation, we have two options:
-
Install Visual Studio on the server running ADFS
-
Copy the files to your local machine
Each options have their tradeoffs. The first requires a bit of a major overhaul
of your development environment. It’s very similar to SharePoint 2007 development.
The second option makes developing a lot easier, but testing is a pain because the
thing won’t actually work properly without the Windows Services running. You
would need to deploy the code to a test server with ADFS installed.
Since I have little interest in rebuilding my development box, I went with the second
option.
Okay, back to Visual Studio. The assemblies referenced were all built on Framework
3.5, so for the sake of simplicity lets create a 3.5 Web Application:
I haven’t tested 4.0 yet.
Since this is a Web Application and not a Web Site within Visual Studio, we need to
generate the *.designer.cs files for all the *.aspx pages. Right-click your
project and select Convert to Web Application:
At this point if you tried to compile the application it wouldn’t work. We are
missing a few assembly references. First, add Microsoft.IdentityModel.
This should be in the GAC or the Reference Assemblies folder in Program Files.
Next, go back to the ADFS server and navigate to C:\Program Files\Active Directory
Federation Services 2.0 and copy the following files:
-
Microsoft.IdentityServer.dll
-
Microsoft.IdentityServer.Compression.dll
Add these assemblies as references. The web application should compile successfully.
Next we need to sign the web application’s assemblies. If you have internal
policies on assembly signing, follow those. Otherwise double-click the properties
section in Solution Explorer and navigate to Signing:
Choose a key file or create a new one. Rebuild the web application.
So far we haven’t touched a line of code. This is all general deployment stuff.
You can deploy the web application back to the ADFS server and it should work as if
nothing had changed. You have a few options for this. The Publishing Features
in Visual Studio 2010 are awesome. Right click the project and Publish it:
Since I set up a test box for ADFS development, I’m just going to overwrite the files
on the server:
Pro Tip: If you do something terrible and need to revert back to original code (what
part of don’t do this on a production box didn’t make sense? 
)
you can access the original files from C:\Program Files\Active Directory Federation
Services 2.0\WSFederationPassive.Web.
At this point we haven’t done much, but we now have a stepping point to modify the
default behavior of ADFS. This could range from simple theme changes to better
suit corporate policy, or to completely redefine the authentication workflow.
This also gives us the ability to better protect our code in the event that IIS craps
out and shows contents of files, not to mention the (albeit minor) performance boost
we get because the website doesn’t need to be recompiled.
Have fun!
Joey Devilla has graciously offered me the opportunity to present at Techdays
in Toronto this year! The Toronto event is October 27th-28th.
Here is the session abstract:
DEV355: Build Web Sites Fast with
Microsoft Visual Studio 2010 (click for more information)
Day 1 - 1:00pm - 2:05pm
Learn about the new Web developer innovations in Visual Studio 2010. Visual Studio
2010 makes development of standards-based Web sites better than ever with new support
for CSS 2, HTML code snippets, powerful dynamic Intellisense for Javascript, and more!
Visual Studio 2010 also makes it easy to deploy applications from development to test
and production environments with new support for Web Configuration Transforms and
integration with the IIS Web Deployment Tool.
For more details:
|
*Early Bird discount ($349.99 + taxes) expires on September 16, 2010. |
Toronto October 27-28, 2010
Metro Toronto Convention Centre
255 Front Street West
Toronto ON M5V 2W6
Show
Map
Get Directions
Register Now!
|
 |
|
|
Just a heads up that I will be presenting on ADFS in Toronto for the IT
Pro User Group. Here is the write up:
Simplifying
User Identity with Active Directory Federation Services (click
for link to event)
Start Date/Time:
Tuesday, October 12, 2010 6:30 PM
End Date/Time:
Tuesday, October 12, 2010 9:30 PM
Location:
UofT Health Sciences Bldg, Rm 106, 155 College St.
Description:
There is a growing demand for single sign-on solutions that cross organizational,
application and platform boundaries of all sizes. In this presentation, lets
take a look at how we can easily meet these demands using Active Directory Federation
Service 2.0 and the Windows Identity Foundation.
Don't worry; There won't be any code.
Bio:
Steve Syfuhs is a very loud software developer, and works for a large not-for-profit
Corporation creating awesome applications. He has a passion for all things technology,
but tries to stick to the fun stuff like the web development, identity management,
and telling bad jokes. His website, www.syfuhs.net,
is a collection of random thoughts and ideas that revolve around technology.
And stuff.
