Identity and Access Tool

I'm trying to build a single sign on/out solution based on your Custom Token sample. 
I added one more RP and the single sign in worked according to plan. However, through Fidder I noticed that the wsingin was only submitted once after I login to STS, when I redirect to RP2 in same browser or open a new browser, no other wsingin message was submitted to STS.
Now, I encounter this issue:
#1: Login to STS from RP1
#2: Open a new browser, and try to open default.aspx page for RP2, it open the page without goes to STS.
#3: Click the logout link on RP2, it logoff RP2.
#4: Now goes to RP1 browser, click it's content, you can still browser the page content.

However, when I login to RP1 first, and open a new browser then open Rp2, and logoff from Rp1, then RP2 is logoff successfully.

I noticed that if I give cookie different name for RP1 and RP2, it sends the wsingin message for when both RP first time talkes to STS. The only problem is with in same bowser, the second RP is consider authenticated, but if I open a new browser and access RP2, I gets redirected to STS login page again.

Any tips or suggestions.

In code level, I'm using following code for both RPs to logoff:
            string signOutUrl = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(FederatedAuthentication.WSFederationAuthenticationModule.Issuer, null, null);
            WSFederationAuthenticationModule.FederatedSignOut(new Uri(signOutUrl), new Uri(FederatedAuthentication.WSFederationAuthenticationModule.Realm + "Logoff.aspx"));

In RPs web.configuration:
  <system.identityModel.services>
    <federationConfiguration identityConfigurationName="">
      <serviceCertificate>
        <certificateReference x509FindType="FindBySubjectName" findValue="localhost" storeLocation="LocalMachine" storeName="My"/>
      </serviceCertificate>
      <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:62398/" realm ="http://localhost:19851/" requireHttps="false"  persistentCookiesOnPassiveRedirects="true"/>
      <cookieHandler mode="Default" requireSsl="false">
        <chunkedCookieHandler chunkSize="2000"/>
      </cookieHandler>
    </federationConfiguration>
  </system.identityModel.services>

From STS, I'm using following code to sign off:
                WSFederationMessage requestMessage = WSFederationMessage.CreateFromUri(this.Request.Url);
                FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequest(requestMessage, claimsPrincipal, null, Response);

I am trying to configure an ASP.NET 4.5 Web Application for claims authentication with Windows Azure Access Control Service using the "Identity and Access Tool" (version 1.0.2).

When right-clicking the Web Application and selecting "Identity and Access", I only see two options under the "Providers" tab; I am missing the option "Use the Windows Azure Access Control Service".

The Web Application was upgraded from VS 2010 (.NET 4.0) to VS 2012 (.NET 4.5). I'm suspecting this because creating a new empty ASP.NET 4.0 Web Application (or MVC for that matter), enables the option "Use the Windows Azure Access Control Service" under "Identity and Access".

I've compared the two VS project file for potential settings potentially instrumenting the "Identity and Access" extension, but was unable to find any.

I'd like to use the existing (upgraded) ASP.NET 4.5 Web Application (as compared to creating a new and migrate the contents of the previous application).

What am I missing?

Hi Anders,
the experience you describe usually happens when the tool thinks that you have a WCF project. Is there anything in your project that might suggest that?
Also: did you explicitly change the project properties to target .NET 4.5?
HTH,
V.   

Hi Vittorio,

why would the tool think my ASP.NET Web Application is a WCF project?

When I installed VS 2012 along with .NET 4.5, I just went through each C# project (be it Web Application or class library) and changed the target framework to .NET 4.5 using the settings configuration. Also, for the Web Application projects, I made sure I was targetting .NET 4.5 by means of manually changing certain values in web.config for httpRuntime and compilation elements.

I can't tell the difference in terms of .NET 4.5 references from a new empty ASP.NET Web Application created with VS 2012; that is, except that it was created with VS 2012 and my previous projects were created with VS 2010.

Any suggestions? What settings are the "Identity and Access" extension using to determine, if the "Use the Windows Azure Access Control Service" option should be available?

One thing that you may want to check is if you have a <system.serviceModel> element in your configuration file. Commenting out this section may help you. Let me know how that goes.

Junaid,

commenting out the system.serviceModel element worked - thanks for the tip. You might want to look into that as a bug, or an inconvenient feature :)

Another thing I noticed after installing the VS 2012 "Identity and Access Tool" extension is that when I right-click on a large Web Application project (to access the context menu), VS 2012 is spending a lot of CPU cycles (possible scanning the VS project file), leaving me hanging .. it's more than 5 seconds on one of the Web Application projects on a high-end quad-core CPU.

I was wondering if you've noticed this as well?

Glad it worked. We are hoping to address that when we do the next update. 

I have not noticed the high cpu usage as yet. Seems unlikely that the tool would cause it, but I will look into it. Thanks for reporting it.

Is the lack of the "Use the Windows Azure Access Control Service" option in WCF projects a regular/expected behavior (i.e. ACS not supported for WCF projects for technical reasons), or is it a bug?

If it's possible to wire up ACS/WIF to WCF projects? 

I am actually trying to find out if it is possible to use ACS+WIF in conjunction with a self-hosted WebAPI server inside an Azure worker. 

Since WebAPI seems to have the same underlying plumbing as WCF I was hoping that, if ACS+WIF can be set up with a regular WCF service, it can perhaps also be set up in a similar way with WebAPI (configuring HttpSelfHostConfiguration programmatically, or doing something like that).

Any hint/help would be appreciated!

Hi Vkdev,
the tool behavior is by design.
A WCF service can be configured to use ACS, but the resulting WS-Trust settings are quite complicated and do not lead to the same advantages you get in the browser based case. For example, with the browser you can defer the decision of which IdP you want to use to the moment in which the users attempts access; with classic WCF achieving the same effect would be significantly more complicated. We didn't think it was worth the extra complexity in the tool, especially considering that there are emerging REST based alternatives for rich clients that are definitely simpler.
For an example of how that would work with Web API, check out http://code.msdn.microsoft.com/AAL-Native-Application-to-fd648dcf - we don't have tool support for that scenario, but we might consider that if there is strong interest abut it. Let us know what you think!
HTH
V.

Thanks Vittorio,

I briefly checked the source code -- besides being very clear and concise the sample seems to be exactly what I was looking for. Just about every other sample shows WIF integration into ASP.NET http pipeline, this one shows how to integrate WIF into WebAPI pipeline. Great!

Now, on the client side WIF offers AuthenticationContext.AcquireToken() method that does the heavy lifting of getting a token. How is that different/complementary to WebAuthenticationBroker.AuthenticateAsync() mechanism which seems to be the recommended way of doing things on the client side in Windows 8? 

I'm asking because I will eventually build clients in Windows 8 *and* Windows Phone 8. What's the right approach to do the authentication and token acquisition, with the goal of having (if possible) the common client code on both platforms? 

In other words, will AAL eventually work on Windows Phone 8?

Thanks again for your time and efforts!

Thank you for your kind words, I am glad that the AAL approach works for you!

The WebAuthenticationBroker is a valid API for driving authentication, but it operates at a lower level: you can use it, but that would require you to know how the protocol works and acting accordingly.
AAL will be available on multiple platforms, including WinRT for writing Windows Store apps on WIndows8. With AAL for WinRT you will be able to get tokens in the same way you are doing today with AAL for .NET.
Unfortunately we cannot share timelines, but keep an eye on this space ;-)
HTH!
V.

OK, it means that for the time being I'll have to use WebAuthenticationBroker on the client side (inside my Store client). I did watch a few related /Build videos (including yours, great one btw) so I'll hopefully be able to pull everything together. 

Anyway, keep up the good work, and thanks again for taking the time to help people here.

I was showing how to use the Identity and Access extension in Visual Studio 2012 and had it configured to work with a new .Net 4.5 WebForms application, and after finding the management key under "Management Service -> ManagementClient -> Symetric Key" and copying it to the dialog. Then I got the expected behavior and results, adding LiveID and Google. 

However when I regenerated the key and saved it on the management portal the Identity and Access dialog fails to authenticate, throwing a ACS50012 error (found in fiddler). I duplicated this behavior with another existing namespace. I did try creating a new ACS namespace but am unable to get it to work at all (i.e. validating the namespace and management key from the VS2012 dialog). 

Does it take some time for the management key to apply within ACS or is there something I'm missing when I regenerate the management key?

Thanks
Mike

Note that the new application was created with an ACS namespace that was created from the new Azure portal in connection to a Service Bus namespace (and contains the -sb appended to the name)...when I created a new ACS namespace in the old portal I was able to initially use the management key, but when regenerated it displayed the same behavior of failing to validate in the dialog.

One odd note, is that the old key still seemed to work after regenerating, although I have no way to go back to get it since the new one is displayed in the portal...

Hi Mike,
the Identity and Access tool is not supported against namespaces created for the service bus. It might work at times, but we cannot guarantee stable behavior at all times.
That said: can you try to modify the namespace through the old portal? You can find instructions on how to access it from the new portal in http://blogs.msdn.com/b/vbertocci/archive/2012/11/07/provisioning-a-directory-tenant-as-an-identity-provider-in-an-acs-namespace.aspx.
Also: please make sure to pick the right key, e.g. https://<yournamespace>.accesscontrol.windows.net/v2/mgmt/web/ServiceAccount/ManagementKey/Edit  

Hi,

I try this tool for MVC 4.5.
can Login, but can't logout.
My logout Coode like this:

WSFederationAuthenticationModule.FederatedSignOut(null, new Uri(loginPageUri));

Did you have some tips for me?

Hi Albert,
a lot of the signout support depends on the identity provider you are connecting to.
Which identity provider are you working with?
Thanks
V.

Hi Vittorio,
Thanks for your reply.
My identity provider is ADFS 2.0 (WS-FederationPassive/Active Directory).
I can logon, and I can use ClaimsPrincipal and Claim class (namespace is System.Security.Claims) to read user's claims.
But I can't use WSFederationAuthenticationModule (namespace is Microsoft.IdentityModel.Web) to logout.
Finally, I cleared Cookies (Cookies name:FedAuth) to logout.
I do not think this is a good way.
Do you have a better way?

Thanks
Albert

Hi Albert,
ADFS does support signout. J would suggest taking a look at the signout section frm Programming WIF, the relevant chapter is available for free at http://bit.ly/e7dxWS 
hope this helps!
Best,
V.

HI

I am trying to integrate an asp.net 4.5 web application with an identity provider using the “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” protocol.
This seems to be supported in WIF Extension for SAML 2.0 Protocol CTP Release, but is this feature included in the .net 4.5 framework? 
I cannot find the config section present in the ctp extension for saml 2, as for example:  

<microsoft.identityModel.saml metadata="bin\App_Data\serviceprovider.xml">
		<!-- The location of the configuration files of all the partners this service trusts. -->
		<identityProviders>
			<metadata file="bin\App_Data\identityprovider.xml"/>
		</identityProviders>
	</microsoft.identityModel.saml>

Is there any way for using saml 2 protocol instead of ws federation in .net 4.5? Or should I use the wif extension ctp for saml 2 on .net 3.5  

      Thx in advance 

                        Alex

Hi Alex,
there is nothing in the tool or .NET4.5 that would help with the SAML protocol. Did you consider using ADFS2 as a protocol transition point, so that your app still uses WF-Federation?
Thanks
V.

We want to build STS to provide single sign on solution for our multiple applications, most of them are ASP.NET App + some JAVA based one.
We try to use WIF 4.5 + VS 2012 + this tool, but it seems hard to find how to build STS using the latest framework, could you privde guides or samples, how to instructions. 

Thanks.  

Richard.

Hey Richard,
you can take a look at the WIF samples in the MSDN sample code repository.
Samples featuring a custom STS are http://code.msdn.microsoft.com/Federation-Metadata-34036040 and http://code.msdn.microsoft.com/Custom-Token-ddce2f55.
HTH,
Vittorio

Hi Vittorio:

Thanks for the fast reply, I did looked at those 2 samples, and find it is not very straight forward in our case. 

What we prefer is a very basic STS, with medium code effort (preferably through configuration), could generate the federation metadata, so it could be used cross platform.

And suggestions or tutorials?

Hi Richard,
we usually don't do STS tutorials: given that the STS is such a fundamental component of every solution, there are many considerations (about security, availability, manageability, etc) that unfortunately cannot be reduced to a simple sample without dangerous oversimplifications.
All the STS samples we provide are usually in place for simulating a larger system in the context of a sample solution, so that you can see the RP code in action without working too hard to set up a real STS and hook the sample to it.
That said, I think I have good news for you! If you take a look at the web sites lab from the July 2012 identity training kit (you can get it from http://www.microsoft.com/en-us/download/details.aspx?id=14347) you will find a brief tutorial explaining how to set up a very simple STS with WIF 4.5.
Please note that the July 2012 training kit is still for VS2012 RC, hence the setup scripts won't work; however you should be able to follow the tutorial with only few adjustments.
HTH
V.

VS2012 Professional V 11.0.50727.1 RTMREL, .NET framework 4.5.50709, logged in as me, an administrator on the machine

Take a fresh new basic MVC4 app, Razor engine. Add a controller called Home with very simple index view, using master layout that is provided. 

Run with Debug said site. fine  - produces page as you would expect. 

Now add Identity and Access service with Local Development STS

Debug again - 401.2 error. Access is denied. 

OK. So that is one annoying problem - any thoughts anyone?

Can solve that by removing <authenticaton mode=None> but why is that?

Leaving the authentication ="None" bit in, I switch to IISExpress for debugging. 

Now the authentication bit is fine, but the bundles for jquery (both css and js) and modernizr fail to load - as modernizr is at the top of the page, it stops the page loading - this is how I noticed. 

If I fire up a new browser session in another browser, then I can access teh scripts/css fine via the same url. Just not through the app that has the LocalSTS auth and IISExpress. Is it possible that this is interfering?

Also, tried to replicate on another machine - almost identical setup. This one won't let me run LocalSTS at all - says I can't bind to that port and I need to run as administrator. I am an administrator FFS. 

Updates. Have found some combinations that work.
Built in web server with VS is ok. Delivers files correctly. 
Only works when using Authentication mode="Windows" though.
None fails, forms requires the login page to exist. This is ok when hosting own login page for Azure STS, but not for LocalSTS

IISExpress fails whichever way. I note that the IISExpress logs have the username from the localSTS so I suspect that it is trying to do something under the context of the made up user on LocalSTS. 


Note that it's not that it isn't delivering the bundled resources at all, it just takes a very very long time. I.e. upwards of 3 minutes it may be that the browser is giving up, need to look into that more. 
  

Having a nice conversation with myself here. 
I think it comes down to <authorization><deny users="?" /></authorization> in the root web.config
This tells ASP.NET that we don't allow unknown users to do anything, right?
But by design, we should know the user from the LocalSTS, yes?

And therein lies the problem. One request for the homepage from cold start:

2012-11-28 16:12:14 127.0.0.1 GET / - 55526 - 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) - 302 0 0 2
2012-11-28 16:12:16 127.0.0.1 POST / - 55526 Adrian 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) http://localhost:12670/wsFederationSTS/Issue/?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a55526%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=2012-11-28T16%3a12%3a14Z 302 0 0 5
2012-11-28 16:12:16 127.0.0.1 GET / - 55526 Adrian 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) http://localhost:12670/wsFederationSTS/Issue/?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a55526%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=2012-11-28T16%3a12%3a14Z 302 0 0 90
2012-11-28 16:12:16 127.0.0.1 GET /Access - 55526 Adrian 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) http://localhost:12670/wsFederationSTS/Issue/?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a55526%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=2012-11-28T16%3a12%3a14Z 200 0 0 4
2012-11-28 16:12:16 127.0.0.1 GET /Scripts/jquery-1.8.3.js - 55526 - 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) http://localhost:55526/Access 200 0 22 2


First request gets 302'd as not authenticated. Next two requests are the federation stuff. 
then teh page request which contains teh username. 
And then the request for the jquery file which has no authentication data associated with it. 

Why not?

OK, so a peek with Fiddler reveals that the cookies are being sent, but IE9 is sending one request for application/javascript type, the immediately another request for text/html for the same file. 
Eh?

Hi there,
lots of things to discuss :-) let's start:
- LocalSTS and IIS Express: they should work perfectly well together. The WIF sample for MVC is based on IIS Express. See http://code.msdn.microsoft.com/Claims-Aware-MVC-523e079b?SRC=VSIDE
- Running as admin. I am sure you already know, but just for not leaving any stones unturned: if VS gives you that message, that usually means that you have to explicitly launch VS via "run ad administrator" as the UAC won't start it with admin rights even if the current user *is* an admin
- 401.2 often comes out if you are targeting full-fledged IIS (as opposed to express), you created the IIS virtual dir using VS and you don't have all the options on. There are various other settings that you might have on in your IIS or in your machine (trusted sites? hardened IE zones settings?) that might enforce further restrictions. The tool works in default conditions, but you have more restrictive policies in place it might stumble. The fact that using Windows auth mode changes the behavior suggests that this might be the case.
- on <authorization><deny users="?" /></authorization> ; that's totally optional, it just depends on how you want the authentication to be enforced. The sample I linked earlier uses a different strategy, hence uses different <authorization> settings.
- on LocalSTS "username". The localSTS does not attempt ANY authentication, and ignores everything about the request apart form the return URL. If you can;t get to it that usually means that you didn't start VS as an admin (see above) or that for some reason your browser or your firewall don't like the local address (also see above) no matter what listens on it.
 
Lots to digest! :-) I am sorry you are having difficulties with the tool. My suggestion would be to look into your IIS and browser settings, and ensure that you start VS as admin. It would also be great if you could download the MVC sample and see if it works on your setup.
Thanks!
V. 

And lo. It was AVG antivirus

For some reason the combination of AVG and Identity and Access addin causes this issue. 

I have tried disabling various components of AVG but it seems that the only solution is to disable it entirely. 

So given that, who can recommend an AV that won't intefere with development activities?



Thanks for trying to help. 

Glad to read that you found the issue!
This is the first report I get about an antivirus interfering with the tool, but I am not very surprised: the AV is one of the first candidates when things behave inexplicably. Sorry for not having listed it among the possible culprits! I assume that it is specifically about the localSTS: can you confirm if other IPs (say ACS) repro the issue?
I have successfully ran the tool on machines with Microsoft Security Essentials, and on machines with System Center Endpoint Protection 2012. 
HTH,
V.

Greetings,
After setting up the provider and configuration, the <modules> node in the web.config is not recognizing the WS Federation Authentication and Session Authentication modules.  As you can see, the version is 4.0, but im not sure why it did not reference 4.5:

    <modules>
      <remove name="FormsAuthentication" />
      <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />

      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    </modules>

Any help would be appreciated.

[SOLVED]
It turned out that the System.IdentityModel.Services was not included with the configuration process and I had to add it manually.

Hi Joel,
thanks for the headsup. Did you create the configuration using the tool in the first place, or did you add the modules section "by hand"? (for example pasting it form another project).
The tool should have added the reference automatically. If it didn't, we would be very interested in understanding the exact details of how this occurred. 
Thanks!

I've just installed 1.0.2, restarted VS and got a pop-up saying "The 'IdentityAndAccessVSPackage did not load correctly." and pointing me to "C:\Use[..]dio\11.0\ActivityLog.xml".  The last three lines of this are:
       -  Begin package load [IdentityAndAccessVSPackage]  -  {97E6CB8F-C650-43EA-A6F3-2B4A51ECC8D5  -    -  VisualStudio
ERROR  -  SetSite failed for package [IdentityAndAccessVSPackage]  -  {97E6CB8F-C650-43EA-A6F3-2B4A51ECC8D5  -  80004003 - E_POINTER  -  VisualStudio
ERROR  -  End package load [IdentityAndAccessVSPackage]  -  {97E6CB8F-C650-43EA-A6F3-2B4A51ECC8D5  -  80004003 - E_POINTER  -  VisualStudio.
It works on other machines I use.

I tried this several times and saw the message every time.  So I looked at the differences between the machines and there were two: Reflector and the EF Power Tools Beta 2.  I disabled the latter and restarted - no error.  I enabled the latter again and restarted - no error.

I have attempted to recreate it on other machines but they have all been run with your extension installed before EF Power Tools (i.e. the reverse sequence to the machine which had the error) and I haven't seen the error.

I am glad to read it is working now. Thank you for the headsup, we'll look into any collisions with the Power Tools.

Is there an update coming for VS 2012?  I'm getting the following in my ActivityLog.xml:
<entry>
    <record>502</record>
    <time>2012/08/22 19:33:12.836</time>
    <type>Error</type>
    <source>VisualStudio</source>
    <description>SetSite failed for package [IdentityAndAccessVSPackage]</description>
    <guid>{97E6CB8F-C650-43EA-A6F3-2B4A51ECC8D5}</guid>
    <hr>80004003 - E_POINTER</hr>
    <errorinfo>Object reference not set to an instance of an object.</errorinfo>
  </entry>
  <entry>
    <record>503</record>
    <time>2012/08/22 19:33:12.836</time>
    <type>Error</type>
    <source>VisualStudio</source>
    <description>End package load [IdentityAndAccessVSPackage]</description>
    <guid>{97E6CB8F-C650-43EA-A6F3-2B4A51ECC8D5}</guid>
    <hr>80004003 - E_POINTER</hr>
    <errorinfo>Object reference not set to an instance of an object.</errorinfo>
  </entry>

Did you ever figure out a solution to this.  I'm having this problem too.

Has this been resolved?
I have tried a couple of times to install this extension and get the same error as above.

I have no idea what was different today to yesterday as I am sure I chose version 1.02 yesterday, but it has worked perfectly OK this morning.

Thanks

On Windows 8.

You need Windows Identity Foundation SDK which in turn has a prerequisite of Windows Identity Foundation to be present in the first place. Add it through Add Windows Features first then install the SDK.

Hi guys,
Given that now it works I assume that the issue was due to the use of the RC version of the tool with VS 2012 RTM as opposed to the RTM version of the tool (whihc coincidentally was published on the 23rd as well).
Krystian, the tool for VS2012 does not have any dependency on the WIF 1.0 runtime or the WIF SDK 1.0. You don't need to add any of those there in order for the tool to function.