WS-Federation Single Logout (SLO) is not supported by the Microsoft WIF libraries. This is mentioned in the Programming Windows Identity Foundation book of Vitorrio Bertocci on page 121. This should however only affect you if you have written your own IDP / IP-STS. As a result one can only sign-out from a single site at… Read More »
To Integrate Ws-Federation into .Net Core is straight forward although the documentation of this topic is really lacking. In the article below I have some code snippets showing how to do the integration.
To generate ws-federation metadata for your own STS use the following tool. Federation metadata generation tool on GitHub or you just download a copy of the source here from my site. The tool will not create a federation metdata file for a relying party (RP). To create a federation metadata file for a RP use the XML… Read More »
I wrote this small single file aspx utility that can be dropped in a asp.net website. The utility will allow the user to view the claims within the token.
It can often be a problem to trace problems with SAML as WS-Federation. Here are some plugins that I have found that can make your live easier.
Invalid Base64 characters? Invalid XML? Anyone that has had to work with these FedAuth tokens would have experienced errors with the format of the FedAuth tokens.
I recently implemented a centralized security token cache and observed that although the user signs-out and the session cookie is removed from the browser the session token was never removed from the SecurityTokenCache. This is something I would never have observed if I did not implement this cache.
ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.
It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).
Been bashing my head against this (WIF: ID1014: The signature is not valid. The data may have been tampered with) problem now for about a week. WIF tracing has been useless in trying to solve this. For my own sanity sake, here are the possible causes that I have found so far that could cause it.
In the following example i will show how to build an Identity Provider also called a passive security token service (IP-STS) that issues tokens using WS-Federation. This post builds on work done in a previous post, Create your own active STS. In this article I will show how to create a complete working example of an… Read More »
Figured that I would start a post dealing specifically with all the terms we find in the Identity world. Ill add to this post as time goes on…
I created a windows forms application sample that can assist with decoding to FedAuth tokens captured from tools like Fiddler, source is included. It is downloadable from this link.
A passive STS (IP-STS) is a website that issues a token and uses the browser to direct the flow of the application through redirects. The following example will be integrating a website with a passive STS that issues tokens using the WS-Federation standard. Click here if you wish to see how to create your own passive STS.
There I stood, alone in the dark, Linkin Park playing in the distance. Armed with Vittorio’s WIF book, my experience and limited knowledge fighting for the honor of Assima. I confronted the beast that wanted to see me fail. It stood there with rage in its eyes, it hated me. I felt its hate burning into… Read More »