Yesterday I went trough and interesting analysis with Matias about how is the best way to tweak the SAML Token Lifetime for Sharepoint 2010 web applications using ADFS as a Claims Auth provider. We have basically three cookies to worry about in this scenario. The Authentication cookie, the Account partner cookie and the SharePoint... read more
It is up to the application to do a proper federated sign-out and Sharepoint 2010 OOB is not doing this in the correct way. If you take a look at the HTTP conversation with fiddler Sharepoint will not call the wa=wsignout1.0 action on ADFS, it will simply clean the current authentication cookie. How to configure... read more
Esto va en castellano en honor a mi lengua nativa, quisiera compartir con ustedes una camino para IT Pros para meterse en el mundo de los STSs e Identidad Federada de la mano de Windows Identity Foundation (ADFS v2.0). Al momento ya desplegué varios laboratorios y 2 ambientes de pre-producción de Geneva Server Beta 2... read more
Eugenio announced yesterday the kickoff of a new guide from patterns & practices in which I’m collaborating: Claims based Authentication & Authorization Guide. This is not a new topic as Eugenio suggests in his blog, but it’s getting more and more attention because: Technology is more mature, hence it’s easier to implement claim-based identity Enterprises... read more
Before OpsMgr ACS is able to collect token related audit events (Event ID 299), auditing needs to be enabled on each Geneva Server on the farm. This will create a lot of audits, which you may need to filer using Noise Filtering on your assigned Audit Collector Server, I will cover how we achieved noise... read more
In my last post I talked about an identity roadmap and how we are helping companies to achieve Level 1: Externalizing Authentication. In this first level, we only care about checking the credentials of a user in a Security Token Service and issue a token with a couple of claims. That token will be enough... read more
The following table shows an analogy of identity concepts between a single application and a federated application. The single app has its own identity silo and the federated app relies on an STS (like Geneva Server). I find this analogy useful to explain how things differ from the non-federated non-claim-based world.
During the last couple of months I’ve been helping the Microsoft DPE team (namely Vittorio and Donovan) building the Identity Development Training Kit. It’s been great to work with such knowledgeable guys like them and with one of the best frameworks I’ve ever developed with: Microsoft Geneva Framework. The training kit covers a lot of... read more
One of the things I didn’t like of the WSFederationHttpBinding is that it encapsulates lots of things. In particular, the call against the STS to obtain a SAML token. I wanted to have control over that process. The good news is that the Geneva Framework allow us to do all that in a very... read more
In the previous post I introduced a scenario where you can use .NET Services Access Control and Windows LiveID to delegate authentication and authorization. In this post we will go through the different pieces needed in the application to perform authorization checks. First thing will be configure the passive federation using Geneva on the application... read more