WS-Federation Single Logout (SLO) is not supported by the Microsoft WIF libraries. This is mentioned in the Programming Windows Identity Foundation book of Vitorrio Bertocci on page 121. This should however only affect you if you have written your own IDP / IP-STS. As a result one can only sign-out from a single site at… Read More »
To Integrate Ws-Federation into .Net Core is straight forward although the documentation of this topic is really lacking. In the article below I have some code snippets showing how to do the integration.
To generate ws-federation metadata for your own STS use the following tool. Federation metadata generation tool on GitHub or you just download a copy of the source here from my site. The tool will not create a federation metdata file for a relying party (RP). To create a federation metadata file for a RP use the XML… Read More »
Bug in RemoveServerHeader attribute for IIS 10+ There is a bug in RemoveServerHeader for IIS 10+ as documented here. I documented the new attribute in IIS 10 here back in March 2018.
The a HTTP module is used when you need to intercept and examine the incoming HTTP requests before or after the page life cycle. The HTTPModule provides events where you can plug into to examine or alter the request or response within the asp.net cycle. HTTPModule are the perfect place the apply security checks.
HTTP headers leak technical information to potential attackers about a system. To harden the security of an application you need to disclose as little information about a system as possible. In this post I will show to remove the Asp.net version from HTTP server header responses.
Securing a website with HTTPS in Asp.net core is a bit different than with normal asp.net in IIS. In this post I will show to configure asp.net core so that it uses HTTPS.
I wrote this small single file aspx utility that can be dropped in a asp.net website. The utility will allow the user to view the claims within the token.
It can often be a problem to trace problems with SAML as WS-Federation. Here are some plugins that I have found that can make your live easier.
When it comes to access control in asp.net we are all familiar with the access control elements found in the web.config. Below I will cover the best way to secure a website with the authorization element?