identityserver Discussions Rss Feed

New Post: Extending the token timeout time

yuvalp1 — Thu, 16 May 2013 11:40:08 GMT

After around 24 hours that my client is left open - it crashes on the first request.
How do I configure the identity server to extend the timeout.

I can see the following configurations in the "General Configuration"

Default Token Lifetime
and
Maximum Token Lifetime

IS it one of those? which one? what is the measurement?

Do I need to configure also something in the IIS
where the idp runs? where my web app runs?

Thanks.

New Post: Username authentication on azure WCF Web Role

greg_qds — Tue, 14 May 2013 16:27:18 GMT

I want to be able to authenticate users to my wcf service hosted in an azure web role via an authorization header. The role will have SOAP and WCF Endpoints.

So far I have:

Set up thinktecture identity server in a seperate azure cloud service. Login and user creation is working there, and Identity Server will be the identity provider.
Implemented a custom password validator and verified that the code is reaching the validator.

I saw in the selfhostconsolehost sample that the membership providers and and identity configuration are configured in seperate files, and I believe that I want to use the RepositoryUserNameSecurityTokenHandler, but I have no idea how. Do i need to implement the IuserRepository code, and once that is done, what is the code to actually validate the user against the repository. Any advice or sample links are appreciated. I've tried the custom token handler here, but since the service is hosted in an azure web role, i cant do the configuration in the code.

New Post: how to configure Thinktecture Identity Server to use Active Directory logon

bgnt44 — Wed, 08 May 2013 03:31:20 GMT

I'm pretty sure that you need ADFS to use AD account

New Post: ADFS Identity Provider - Home Realm Discovery

thk — Tue, 30 Apr 2013 17:34:56 GMT

Hi,

nevermind, must have been a stupid typo on testing.

https://idsrv/issue/hrd

works :)

New Post: ADFS Identity Provider - Home Realm Discovery

thk — Tue, 30 Apr 2013 14:57:55 GMT

Hi,

i'm a bit stuck at the Identity Provider setup for an ADFS 2.1 server within the identity server.

I've added a new Identity Provider "ADFS":

 Enabled: yes
 Include in Home Realm Discovery: yes
 Type: WSStar
 WS-Federation Endpoint: https://<our adfs server>/adfs/ls
 Issuer Thumbprint: 59B3B38AA5C9E81DF72B6D477DC7C51B4744AF0B
 (the one of the signing certficate)

For testing purposes i've also enabled the "Windows Live" identity provider (with custom client_id & secret)

In my Asp.MVC Test-Application i've used the "identity & access"-Tool to configure it for the
identity server.
Afterwards i've changed the issuer to the "hrd" endpoint: /issuer/hrd

So far so good.
The authentication via the "Windows Live" provider works like a charm.
But the ADFS-Provider doesn't work at all.

I tried to add a Relying-Party trust on the adfs server for the identity server

https://idsrv/trust

but i havn't found an example for it.
I simply don't know which passive WS-Endpoint i should specify.
Using the url of the identity server or /issue/wsfed or /issue/hrd redirects me back to the identity server itself, but not to my actual test application, where the login request started.

Any help is appreciated.

Thanks in advance

New Post: Custom Authentication with OAuth in Web API MVC 4

PranavBhatt7 — Thu, 18 Apr 2013 18:39:27 GMT

Hello, we are working on a web application project using Web API MVC 4 and in that, we have one requirement where in we want to authenticate users against the database. We have a custom authentication logic that needs to be applied. We also want that our application allow users to log into our site using their gmail account by using OAuth. So we need to make use of both Custom authentication log in and OAuth.

For the same, we have gone through the following sample:
https://github.com/thinktecture/Thinktecture.IdentityServer.v2

Also, googled some sites but we are not able to find a proper solution to our problem.

Can someone provide us with the proper solution and a way to do it? We want to know that, what steps we need to take to achieve both of these authentication mechanism.

New Post: Basic authentication scenario

khloroform187 — Tue, 16 Apr 2013 18:12:18 GMT

Hi,

I currently have a Web application using WebAPI with a complete back-end. I have a custom management of Users, Roles and Permissions (not from .NET Role / Membership / etc.,) So right now, there are no problems to do all the validations according to the permissions a user have in function of it

s roles.



What I want to do, it

s to delegate the authentication mechanism to an external server since I will need to connect future application on this authentication server.

So want I need is basically to use the IdentityServer to manager users and set claims (or roles) on them. At minimum, I would like to set an Id (or Roles) to a user in the IdentityServer, and after authentication, get this Id (or Roles) and continue the process of getter the correct permissions known only by my application according to the Id (or Roles) get from the authentication response.

I watch a tutorial on how create a first application using Identity Server (http://vimeo.com/51666380), but this example include complex WS-Federation stuff that I don't necessary need since I wont include trust/federation with companies, only my few custom web applications.

I also search in the documentation and in samples, but the information is not centralized and I am not able to find what I need.

Can someone point me to the correct documentation or can give me a few hints of which authentication mechanism I should use in IdentityServer?

Thank you!!

New Post: IdentityServer as both IdP and RP but HRD isn't working

SSG31415926 — Sun, 14 Apr 2013 18:15:00 GMT

To enable me to investigate federation, I've created two instances of IdentityServer (/IdSrv and /RpSrv) on my laptop, following your installation video on vimeo. I've then built one app for each following your configuration video, so that I know they both work as IdPs. (I disabled the requirement for SSL). I've then built a third app, pointed at RpSrv and am now trying to get RpSrv to act as the federation gateway for that app.

I enabled Federation and Home Realm Discovery on /RpSrv. Having watched your third video I was trying to get federation to work - an app pointing at /RpSrv federating with /IdSrv for the AuthN - but was having difficulty getting the right configuration.

During the investigation, I disabled Home Realm Discovery and recycled /RpSrv. Later, I noticed that the hrd entry was still shown on the Application integration page. I tried my app and I still saw the Home Realm Discovery page. I tried disabling federation as well, and recycling, and that broke it. So I re-enabled federation and recycled and the app started working again, with HRD.

Later, I tried specifying the homeRealm attribute on the wsFederation element as described in your federation video but it didn't work. Using Fiddler to grab the request, I can see that there's no whr parameter, just: GET /rpsrv/issue/hrd?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a49888%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=2013-04-14T08%3a22%3a15Z HTTP/1.1

I imagine I'm doing something wrong but I'm not sure what. I'm on the federation part of Dominick's WCF course (having completed the other two a few weeks ago) - that's what led me to IdentityServer and started me down this route.

To summarise, there are two issues:

why is HRD working when it's disabled?
why is HRD happening when I'm supplying the homeRealm in config?

New Post: newbie question on usage scenarios

mickdelaney — Wed, 13 Mar 2013 16:56:21 GMT

hi guys,

I'm investigating identityserver at the moment but am not sure if i really need it for my scenario.
what i'm trying to do is (in order of importance/need):

1:) Deploy a bunch of web apps & api's under the same domain

e.g. root = example.com. with apps/apis at: manage.example.com, reports.example.com, api.example.com etc
But i want to be able to deploy them independently and i want to be able to log into one, e.g. account.example.com which then allows access to the other sites. These sites are all written in asp.net mvc & web api

I guess i could just produce a cookie, and check for that in the apps & api's, and perhaps store data in a serverside cache (that they all have access to)

2:) Use Social Logins
e.g. google, linkedin, facebook, live etc.
I was thinking of just using the out of the box asp.net OAuthSecurity stuff could work here, and then again issue a cookie for the web apps & apis?

3:) Secure non .net e.g Java based resources
In addition I want to be able to secure java based web apps & apis, e.g.
products.example.com. These would probably be hosted using jetty or tomcat or whatever.

Would the cookie solution work here?

4:) Connect to Corporate Networks
Allow Corporate, e.g ADFS. (we have a few large customers and it would make life easier if they're domain accounts could be used to login to our site).

Any help here would be greatly appreciated.

regards
mick

New Post: Custom User Repository

DominickBaier — Wed, 06 Mar 2013 11:27:42 GMT

Guys - you know that this forum has been retired. I really only monitor the github issue tracker for IdSrv anymore.

New Post: Custom User Repository

dagimf — Wed, 06 Mar 2013 09:32:36 GMT

Looooooka wrote:

This is purely a guess from looking at the code:
repositories.config

userManagement-> you could write your own ProviderUserManagementRepository based on the one Dominick created.(your class needs to implement Thinktecture.IdentityServer.Repositories.IUserRepository) If this is what you're talking about...just set yours in this file.
If you're using the binaries and want the source then you should probably download the source code for Thinktecture.IdentityServer.Core
the other way(i'm using this one) is a custom membership provider.
simply set it up in web.config and that's it.

will this work for active directory aswell???

New Post: how to configure Thinktecture Identity Server to use Active Directory logon

aymenim — Wed, 06 Mar 2013 09:32:06 GMT

I have the same issue as well @riccardotreso and @dagimf have you find any ways to solve this i am stuck :(

New Post: how to configure Thinktecture Identity Server to use Active Directory logon

dagimf — Wed, 06 Mar 2013 09:28:34 GMT

Yeah im working on the same problem can anyone tell me if it is possible to do it , and if it is any pointers on how please??

New Post: WS Federation exception (wctx parameter missing) in AD FS 2.0

DominickBaier — Wed, 06 Mar 2013 07:45:13 GMT

Hi,

this might be a bug -

this forum is retired. Could you post that please on the github issue tracker for idsrv?

thanks

New Post: WS Federation exception (wctx parameter missing) in AD FS 2.0

GregoryLevit — Tue, 05 Mar 2013 12:35:04 GMT

Hi Dominick,

Can you please assist me?

I decided to use your Idsrv v2 for my solution.
General idea was to move authentication logic from the application to separate STS. Initially AD FS 2.0 fited us very well, because we store our user data in AD.
But then was decided to add possibility of authentication via Google,Facebook,Twitter,... So I thought to add your Idsrv (as IP-STS), and connect it to ADFS (as RP-STS).

Flow:
--> User redirected to Adfs, choose login via Idsrv
--> Redirected to Hrd page of Idsrv, clicks Facebook button
--> Redirected to Facebook login page, enters credentials
--> Facebook authenticates user, send user claims back to Idsrv
--> Idsrv sends email claim to Adfs
(here it crashes, Adfs exception: "The WS-Federation Passive protocol parameter 'wctx' was not found or not valid" )
--> Adfs adds additional claims based on the user's email
--> RpApp will get all claims of the user

Now I'm out of ideas. I'm stucked few days on that problem:
Adfs exception: "The WS-Federation Passive protocol parameter 'wctx' was not found or not valid"

Interesting, when I change configuration in ADFS2.0: WS-Federation Endpoint for Claim provider from https://idsrv.mydomain.com/idsrv/issue/hrd to https://idsrv.mydomain.com/idsrv/issue/wsfed. It works! But it isn't what I need. My RP app just gets claims of Idsrv user. Pretty useless for me.

Here is my setup:

Idsrv2 (as IP-STS): idsrv.mydomain.com

Relying party configuration for ADFS 2.0:
-Display Name: ADFS
-Realm/Scope Name: https://adfs.mydomain.com/adfs/services/trust
-Redirect Url: https://adfs.mydomain.com/adfs/ls/

Identity Provider Configuration:
Facebook, Google (as in the example: http://brockallen.com/2012/11/04/oauth2-in-thinktecture-identityserver-oauth2-identity-providers/)

Protocol WS-Federation:
Enabled: true
Enable Sign-in: true
Enable Federation: true
Enable Home Realm Discovery: true
Allow ReplyTo parameter: false
Require ReplyTo within Realm: false
Require SSL: false

Protocol WS-Trust:
Enabled: true
Enable Message Security Endpoints: false
Enable Mixed Mode Security Endpoints: true
Enable Client Certificates Authentication: false
Enable Federated Authentication: false
Enable Identity Delegation: true

Protocol Oauth2:
Enabled: true
Enable Implicit Flow: false
Enable Resource Owner Flow: false
Enable Consent Page: true

ADFS2.0 (as RP-STS): adfs.mydomain.com

Claim Provider Configuration:
-Display Name: idsrv.mydomain.com
-Identifier: https://idsrv.mydomain.com/idsrv/trust/
-WS-Federation Endpoint: https://idsrv.mydomain.com/idsrv/issue/hrd

RP Configuration:
-Display Name: MvcTestApp
-WS-Federation Endpoint: https://adfs.mydomain.com/MvcTestApp/

MvcTestApp (RP): VS2012 Template MVCApplication

<wsFederation passiveRedirectEnabled="true" issuer="https://adfs.mydomain.com/adfs/ls/" realm="https://adfs.mydomain.com/MvcTestApp/" requireHttps="false" />

Thank you in advance,
Gregory

New Post: Custom User Repository

Looooooka — Mon, 25 Feb 2013 21:26:33 GMT

This is purely a guess from looking at the code:
repositories.config

userManagement-> you could write your own ProviderUserManagementRepository based on the one Dominick created.(your class needs to implement Thinktecture.IdentityServer.Repositories.IUserRepository) If this is what you're talking about...just set yours in this file.
If you're using the binaries and want the source then you should probably download the source code for Thinktecture.IdentityServer.Core
the other way(i'm using this one) is a custom membership provider.
simply set it up in web.config and that's it.

New Post: Standard ChannelFactory using CreateChannelWithActAsToken using wrong trust version to request ActAs token

digidank — Mon, 25 Feb 2013 17:31:50 GMT

I guess an easier way to clarify my question is whether there is a way to specify what trust version a standard ChannelFactory using a ws2007FederatedHttpBinding will make when it needs to call Issue for an ActAs token?

Is it something that it reads from the Issuer's Metadata?
Is there a property on ws2007FederatedHttpBinding I have to set?

Or do I have to implement the older 1.2 standard for all ActAs Issue requests?

New Post: Standard ChannelFactory using CreateChannelWithActAsToken using wrong trust version to request ActAs token

digidank — Fri, 22 Feb 2013 22:43:16 GMT

When I use my security token to call factory.CreateChannelWithActAsToken it calls my STS's Issue using the wrong namespacing and expecting the wrong trustversion.

I can connect to my STS and request tokens and ActAs tokens manually with WSTrustChannel using WSTrust13 an it works perfectly fine. But when I setup a WS2007FederationHttpBinding and point to my STS it always makes the issue request using the wrong format. I stepped into my STS and had to deserialize the message using the WSTrustFeb2005ResponseSerializer instead of WSTrust13ResponseSerializer.

<ws2007FederationHttpBinding>

    <binding name="AdministrationServiceBinding">
      <security mode="TransportWithMessageCredential">
        <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" negotiateServiceCredential="false">
          <issuer address="https://localhost:44300/WSFederationServices.svc/Issue"
            binding="wsHttpBinding" bindingConfiguration="CustomSecurityTokenServiceBinding"  />
          <issuerMetadata address="https://localhost:44300/WSFederationServices.svc/mex" />
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>

I'm sure I probably am misunderstand how something works. But, this seems like it should work and is not. Any input?

New Post: .NET 4.5 requesting token using another SAML token

Looooooka — Sun, 17 Feb 2013 13:48:15 GMT

Awesome.Thank you for helping the blind(me)... :)

New Post: .NET 4.5 requesting token using another SAML token

DominickBaier — Sat, 16 Feb 2013 12:03:50 GMT

http://leastprivilege.com/?s=Using+SAML+As+A+Client+Credential+Type+In+WCF+With+Geneva