Azure MFA Server – International Deployment

Hi all – this blog will cover off some information to assist with multilingual/international deployment of Azure MFA server. There are some nuances of the product that make ongoing management of language preferences a little challenging. Also some MFA Methods are preferable to others in international scenarios due to carrier variances.

Language Preferences

Ideally when a user is on-boarded, their language preferences for the various MFA Methods should be configured to their native language. This can easily be achieved using MFA Server, however there are some things to know:

  1. Language settings are defined in in Synchronisation Items.
[Keep reading] “Azure MFA Server – International Deployment”

MIM and Privileged Access Management

Recently Microsoft released Microsoft Identity Manager 2015 (MIM) Customer Technology Preview (CTP). Those expecting a major revision of the FIM product should brace themselves for disappointment. The MIM CTP is more like a service release of FIM. MIM CTP V4.3.1484.0 maintains the existing architecture of the FIM Portal (still integrated with SharePoint), FIM Service, and the FIM Synchronisation Service.  Also maintained are the separate FIM Service and FIM Sync databases. Installation of the CTP is almost identical to FIM 2010 R2 SP1, including the same woes with SharePoint 2013 configuration.… [Keep reading] “MIM and Privileged Access Management”

ADFS Metadata Conversion for Shibboleth

I recently blogged about the issues integrating Shibboleth Service Providers with ADFS. As an update to that blog one of Kloud’s super smart developers (Alexey Shcherbak) has re-written the FEMMA ADFS2Fed.py Python script in PowerShell, removing the need for Python and the LXML library! The ADFS2Fed converts ADFS metadata for consumption by a Shibboleth SP. Below is the output of Alexey’s labour, awesome work Alexey!

[code language=”PowerShell” gutter=”false”]
$idpUrl = "https://federation.contoso.com";
$scope = "contoso.com";
$filename = ((Split-Path -parent $PSCommandPath) +"\federationmetadata.xml");

[void][System.Reflection.Assembly]::LoadWithPartialName("System.Xml.Linq");
$xel = [System.Xml.Linq.XElement]::Load($filename);

$shibNS = New-Object System.Xml.Linq.XAttribute @(([System.Xml.Linq.XNamespace]::Xmlns + "shibmd"), "urn:mace:shibboleth:metadata:1.0");
$xel.Add($shibNS);

$scopeContent = New-Object System.Xml.Linq.XElement @("{urn:mace:shibboleth:metadata:1.0}Scope", (New-Object System.Xml.Linq.XAttribute @("regexp","false")),$scope);
$scope = New-Object System.Xml.Linq.XElement @("{urn:oasis:names:tc:SAML:2.0:metadata}Extensions",$scopeContent);
$xel.AddFirst($scope);

$authN = New-Object System.Xml.Linq.XElement @("{urn:oasis:names:tc:SAML:2.0:metadata}SingleSignOnService", (New-Object System.Xml.Linq.XAttribute @("Binding","urn:mace:shibboleth:1.0:profiles:AuthnRequest")), (New-Object System.Xml.Linq.XAttribute @("Location", ($idpUrl+"/adfs/ls/"))) );
$firstSSO = [System.Linq.Enumerable]::First( $xel.Descendants("{urn:oasis:names:tc:SAML:2.0:metadata}SingleSignOnService"));
$firstSSO.AddBeforeSelf($authN);

$xel.Elements("{http://www.w3.org/2000/09/xmldsig#}Signature")|%{ $_.Remove()};
$xel.Elements("{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor") | %{$_.Remove()};
$xel.Elements("{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor") | %{$_.Remove()};
$xel.Elements("{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor")| %{$_.Remove()};

$xel.Save(($filename+"ForShibboleth.xml"), [System.Xml.Linq.SaveOptions]::None)
[/code]

Shibboleth Service Provider Integration with ADFS

If you’ve ever attempted to integrate a Shibboleth Service Provider (Relying Party) application with ADFS, you’d have quickly realised that Shibboleth and ADFS are quite different beasts. This blog covers off some of the key issues involved and provides details on how to get ADFS to play nice with a Shibby Service Provider (SP). This blog does not cover configuring ADFS to participate as a member in a Shibboleth Federation like InCommon or the Australian Access Federation (AAF).… [Keep reading] “Shibboleth Service Provider Integration with ADFS”

Windows Azure Active Directory Self Service Password Reset

Microsoft has recently released an enhancement to its Windows Azure Active Directory (WAAD) offering. This enhancement enables end users to perform self-service password resets in the case of a forgotten password. Previously this function was available to administrative accounts only.

WAAD self-service password reset (SSPR) is a premium offering, requiring Premium Features to be enabled for the WAAD.

Once WAAD Premium Features are enabled, the User Password Reset Policy can be edited and SSPR enabled. For the initial release, enabling SSPR does so for all WAAD user accounts.… [Keep reading] “Windows Azure Active Directory Self Service Password Reset”

AD FS and self-signed Token-Signing certificates

AD FS uses Token-Signing certificates to digitally sign security tokens generated by the service. This signature provides evidence that a security token has not been modified during transit. The public key of the Token-Signing certificate is provided during establishment of federation trusts so that the application or service receiving a signed security token can verify the signature.

Recently a Kloud client raised a query about the use of self-signed certificates versus use of a commercial certificate from a public certificate authority for the AD FS Token Signing certificate.… [Keep reading] “AD FS and self-signed Token-Signing certificates”

Resource Based Kerberos Constrained Delegation

Big changes have occurred in the Kerberos authentication space with the introduction of Windows Server 2012. For this blog I’ll focus on Kerberos Constrained Delegation and Protocol Transition, highlighting what Server 2012 brings to the table, and how the changes can be used to improve security in a typical deployment scenario.

Kerberos Delegation Explained

To start, a high level explanation of Kerberos delegation – it enables an account to impersonate another account for the purpose of providing access to resources.… [Keep reading] “Resource Based Kerberos Constrained Delegation”