Monday, May 16, 2016

Misc : "Why I Haven’t Fixed Your Issue Yet"

This really resonated with me.

Why I Haven’t Fixed Your Issue Yet

I don't do that much open source work - a bit - but nowhere near as much as I help out on Forums.

I help out on forums because I like to pay something back but it's not my full-time job and I don't get paid for it :-)

I get that you have a critical deadline, that your boss is on your back, that you are close to panic etc. but you are not the only one in the forums and like the writer above, I have to prioritise.

I give preference to those people who have actually tried to solve the problem e.g. they paste the ADFS claims rules that don't work.

People who write "HELP NEEDED" or "CRITICAL" and then leave a description like "Doesn't work" and I need three "answers" to tease out what version they are using against what repository and essentially expect me to do their job for them tend to be at the bottom.

And answers like "Don't have time to understand regex" pretty much guarantee that they will be back next week with another variation of the same problem.

Yes - it's hard but is it not part of your job to understand this stuff?

There are no excuses - there are hundreds of articles, books, Pluralsight etc.
Have a read of Jon Skeet's classic Writing the perfect question.

Help me to help you by describing and documenting the problem.

Oh and by the way, it's considered good etiquette to mark the question as answered, give reputation points or whatever if I help solve the problem.


Friday, May 13, 2016

Azure B2C : Differences with Access Control Services (ACS)

B2C is the way forward for ACS.

Refer : The future of Azure ACS is Azure Active Directory.

I put this table together:

Note 1: Azure B2C : Differences with Azure Active Directory (AAD)

Any E&O, fell free to discuss via comments. 


Thursday, May 12, 2016

Azure B2C : Differences with Azure Active Directory (AAD)

There are a number of gotcha's with B2C that you may not realise at first.

This is still in preview so things will undoubtedly change and there is also B2C Premium on the horizon but no details are publicly available.

More details around limitations here.

To be fair, B2C is aimed at a completely different use case viz. external users who can self-manage via self-service registration and who need SSPR functionality.

I put this table together:

Azure AD
Azure B2C

Can share tenant e.g. with O365
B2C separate tenant that can contain B2C users only

Can add SaaS applications via Market Place

Can federate with other IDP

AD sync. via AD Connect

Users can have O365 licences

Support for WS-Fed, SAML 2.0p, OpenID Connect, OAuth2
Some OpenID Connect, OAuth2 functionality
(See below)

Support for Single Page Application (SPA) front-end that is written primarily in JavaScript and often uses a SPA framework such as AngularJS, Ember.js, Durandal, etc.

Web API support for OAuth 2.0 JWT Bearer Credential Grant, otherwise known as the On-Behalf-Of flow

Support for OAuth 2.0 client credentials flow
N/A – must use OpenID Connect to authenticate first

Wide range of authentication platforms
Only .NET, iOS, Android, and NodeJS

Social support for Yahoo, Facebook, Google and MSA (Windows Live) via ACS
Social support for Facebook, Google, Amazon, LinkedIn and MSA (Windows Live)

Can add additional social providers via Identity aaS e.g. Auth0, Optimal IDM etc.

Can verify custom domains
N/A on classic portal

Any E&O, fell free to discuss via comments.


Wednesday, May 04, 2016

ADFS : Expired password

Continuing from ADFS : Adding "Change Password" to the default login page.

This concerned "Change Password" but then I came across a reference to the effect that once this feature was enabled, it also handled "Expired Password".

Now I tried this on Active Directory Federation Services on Server 2016 Technical Preview 4 (ADFS 4.0) but the article states that it works on ADFS 3.0 (Server 2012 R2) as well.

After logging in with an expired password. I got:

Very neat!

However, for "Forgotten Password" i.e. user requires a "Reset Password", you are out of luck.

You could configure one of the configurable strings using PowerShell to say something like "Forgot your password?" and then link that to a custom web site that you would have to create that talks to AD via LDAP.

Obviously there are security constraints with this e.g. you need something like "Secret Q & A".


Monday, May 02, 2016

ADFS : Server 2016 OAuth JWT is missing scope and NameID

This is for Active Directory Federation Services on Server 2016 Technical Preview 4 / 5.

As per ADFS : Daemon and Web API on Server 2016 TP4 ADFS 4.0, I made the comment:

"The Azure AD sample relies on scope and NameID claims being returned in the JWT token. This is OK in Azure AD where the claims are static and Azure ID knows the ID of the application which is returned as a GUID in the NameID claim. ADFS AFAIK does not have claims rules for this so I hard coded the NameID. Hopefully, this will be resolved as more documentation is forthcoming."

Then I came across AD FS On-behalf-of Authentication in Windows Server 2016.

As per that article, you have to manually generate the scope claims!

They use the following claims rules:
@RuleName = "All claims"
=> issue(claim = c);

@RuleName = "Issue open id scope"
=> issue(Type = "", 
Value = "openid");

@RuleName = "Issue user_impersonation scope"
=> issue(Type = "", 
Value = "user_impersonation");
These match the scope check boxes configured in ADFS in the application group.

This means that every time you alter the scopes you need to alter the claims rules.

Hopefully, this will be fixed before the official release.

The other issue I had was with NameID.

As per that article:

"From AD FS we are issuing the Nmae claim but we are not issuing NameIdentifier claim. The sample uses NameIdentifier to uniquely key in the ToDo items. For simplicity, you can safely remove the NameIdentifier with Name claim in the code. Find and replace all occurences of NameIdentifier wiht Name."

(Spelling as per original article.)

My solution was simply to generate a static NameID. The whole point is to have a unique key into the token store.


ADFS : OpenID Connect and OAuth2 support on Server 2016 TP5

This is for Active Directory Federation Services on Server 2016 Technical Preview 5.

This is the last TP before RTM.

I've done a series of posts on this capability in TP4 and I tried a few of the use cases in TP5 and they worked no problem.

All you need to do is to change the metadata URL and the clientID and the secret key.

So much easier when you have a working sample as reference :-).

There is a similar series of Microsoft posts here. I believe that more content is going to be added prior to RTM.

The format of these posts is somewhat different to the way that I do them but I will leave you to decide which way you prefer!