42 min read

Windows Azure Pack Authentication Part 3 – Using a Third Party IdP

In the previous installments of this series we looked at how Windows Azure Pack authenticates users and how it’s configured out of the box for federation. This time around we’re going to look at how you can configure federation with a third party IdP. Microsoft designed Windows Azure Pack the right way. It supports federation…

13 min read

Real-time User Notification and Session Management with SignalR – Part 1

As more and more applications and services are becoming always on and accessible from a wide range of devices it’s important that we are able to securely manage sessions for users across all of these systems. Imagine that you have a web application that a user tends to stay logged into all day. Over time…

9 min read

The Case of the Failed Restore

As applications get more and more complex the backup and restore processes also tend to become more complex. A lot of times backup can be broken down into simple processes: Get data from various sources Database Web.config DPAPI Certificate Stores File system etc Persist data to disk in specific format Validate data in specific format…

2 min read

Talking ADFS on RunAs Radio

During the Toronto stop of the TechDays tour in Canada Richard Campbell was in town talking to a bunch of really smart people about the latest and greatest technologies they’ve been working on. And then me for some reason. We got to talk about ADFS and associates: Richard talks to Steve Syfuhs at TechDays Toronto…

16 min read

Input Validation: The Good, The Bad, and the What the Hell are you Doing?

Good morning class! Pop quiz: How many of you do proper input validation in your ASP.NET site, WebForms, MVC, or otherwise? Some Background There is an axiom in computer science: never trust user input because it’s guaranteed to contain invalid data at some point. In security we have a similar axiom: never trust user input…

10 min read

Authentication in an Active Claims Model

When working with Claims Based Authentication a lot of things are similar between the two different models, Active and Passive.  However, there are a few cases where things differ… a lot.  The biggest of course being how a Request for Security Token (RST) is authenticated.  In a passive model the user is given a web…

2 min read

AzureFest–Final Countdown: 2 Days to go

[The soundtrack for this post can be found at Youtube] Cory Fowler is the Canadian MVP for Windows Azure, an ObjectSharp Consultant, and a good friend of mine.  He will be presenting on Windows Azure at, you guessed it, AzureFest!  We have two half day events on December 11th 2010 (two days from now –…

4 min read

Preventing Frame Exploits in a Passive Claims Model

At a presentation a few weeks ago someone asked me about capturing session details during authentication at an STS by way of frames and JavaScript.  To paraphrase the question: “What prevents a malicious developer from sticking an RP within an iframe, cause a redirect to an STS, get some user to log in, and then…

9 min read

The Basics of Building a Security Token Service

Last week at TechDays in Toronto I ran into a fellow I worked with while I was at Woodbine.  He works with a consulting firm Woodbine uses, and he caught my session on Windows Identity Foundation.  His thoughts were (essentially—paraphrased) that the principle of Claims Authentication was sound and a good idea, however implementing it…