January 2010 Archives

As Eugenio Pace mentioned on his blog, the new book A Guide to Claims-Based Identity and Access Control has been released in its entirety online.  The published version will be out some time this spring IINM.  I served as a technical editor on this book, and I certainly recommend it.  It was really great working with Eugenio and the group.

BTW, I got involved in this this project by engaging with Matias Woloski on Twitter. He forwarded my contact info to Eugenio, and the rest is history.  I have had similar experiences due to my use of other social media such as LinkedIn, Facebook, and blogging.  So, if you're not using on-line social networking, I encourage you to begin. It is a fun way to connect with your peers.
I presented to the Portland chapter of the OWASP Foundation this afternoon on SAML, digital identity, and federation.  It went really well, and it was very enjoyable.  Thanks to all who attended and to the group's organizers, AJ Dexter and Tim Morgan.  I've uploaded my slides, and anyone is free to use them.  Check out the OWASP Web site for upcoming events.  If you have topics you'd like to suggest or are interested in speaking to the group about something related to Web application security, I'm sure they would love to hear from you.

If you're confused by something in the slides, have feedback, or would like me to present to your group about this or other topics, please let me know.
I've gotten a lot of positive feedback on the last two presentations I've uploaded about SAML:
Thanks to all those who shared their thoughts.  You're why I write this blog :-)

In preparation for my upcoming talk at the Portland OWASP group about federation and SAML, I decided to dig in a bit more to the Identity Provider Discovery Profile.  This profile loosely defines a way to do home realm discovery.  It lays out a solution that is probably only used by really big organizations, but I feel that it's good to know it just in case I need it one day.  If you're like me and want to understand the details of SAML and federation, download this intuitive, animated presentation showing one way to implement this profile.  Note that I said one way.  This part of the spec is pretty open and allows for a lot of variation.  Also, unlike the other PowerPoints I've done recently, this one includes notes on each slide to help explain what all the arrows mean.

If you would like to use this PPT to explain SAML to your friends and family, feel free.  Ditto for more professional uses ;-)  I just ask that you give me credit and leave my name on the deck.

As always, if you have thoughts, comments, or questions, feel free to leave them here or by getting in touch with me.  Happy federating and see you at OWASP next week.
The other day, Travis Nielsen wrote an article about how to use ADFS in conjunction with an OpenID provider (OP) to authenticate users accessing a SharePoint 2010 site.  His article is really good and definitely worth reading.  As he says in it, he based his work on Matias Woloski's which is also a must read.  Travis proposes a solution that, if implemented exactly, will include five token services.  Something like this:


I like this stuff a lot, but that's too many STSs if you ask me.  Instead, I would suggest doing away with the the protocol transition STS (as Matias called it) and instead customize ADFS's login app to thunk between WS-Federation and OpenID.  Building a proof of concept (PoC) to demonstrate this using Matias' code was short work.  Here's how I did it:

1. I changed IIS, so ADFS would use my own login app rather than the one that it comes with.  I did so by modifying the IIS "ls" application to point to some other directory.  You can also do this by modifying the Windows Internal Database (WID), but I wouldn't recommend that.


2. Then I dumped Matias' code into this directory and modified it a tiny bit. (My code can be found in this ZIP file.)

3. I didn't have SharePoint 2010 set up, so I used one of the passive RPs that come with the WIF SDK as a substitute.  I changed the issuer URI to that of ADFS's passive endpoint (i.e., https://.../adfs/ls). Then, I pulled it up in my browser.  I was redirected to ADFS's new login app.

4. Once there, I entered my OP's endpoint.


5. This redirected me to my OP, and I logged in.


6. I was redirected back to the ADFS login app (passive STS) which thunked the OpenID response to a WS-Federation response.  I was then redirected to the RP (which would be the SharePoint RP-STS in the actual case).  The RP displayed the claims which included the name and ID issued by the OP.

I know what you're thinking.  Surely there's stuff in ADFS's login app that can't just be thrown out like this.  Definitely. This isn't a finished product in any sense.  It's just a demonstration of how you can protect a SharePoint 2010 site using 4 STSs instead of 5.

On the 19th of January at 4 PM, I will be presenting to the Portland OWASP chapter on federated identity management and the protocols used to implement such systems.  I'll talk talk about the problem space in general, and I'll drill into SAML in particular.  Once I have the slides done, I'll upload them to slideshare and post a link here.  In the meantime, you can download an iCalandar file with the event in it to help you remember when and where it is.

If you have questions, suggestions, or thoughts about what you'd like to discuss or hear more about, leave a comment here or get in touch with me.

See you there!