Wednesday, September 24, 2014

Misc : Popular posts

There is a little widget that's supposed to do this but here are the actual statistics.


Notice the number of ADFS hits!

Enjoy!

Misc : GitHub for Windows - Clone in Desktop

GitHub for Windows is a neat tool but suffers from a severe lack of documentation.

I find a project I like, click "Clone in Desktop" on the RHS and it takes me to a screen saying "Download GitHub for Windows" even though I have the damn thing already installed.

So ^^%$$% frustrating.

Mr. Google to the rescue and after a number of false starts (Google sucks more and more at delivering useful search results) I discovered that you need to log-in first on the GitHub site.

Then all is OK.

Going by the number of hits I found on this, 99% of this would be avoided if GitHub put a notice to that effect on the page e.g.

"You must first Login".

Enjoy!

Tuesday, September 23, 2014

ADFS : The joys of hidden context

Playing around with ADFS 3.0 on Server 2012 R2 and found yet another difference with ADFS 2.x.

Imagine you have a number of .NET applications going via ADFS as a RP-STS going to another IP-STS.

Now on the IP-STS you want to know which RP the authentication request is coming from.

All the ADFS requests are coming through one channel so parameters like "Referer: " are useless.

In your RP web.config you can add a parameter like wreply or wtrealm as per wsFederation.

You'll see these in the URL going to ADFS in the &wctx section. But there's nothing going to the IP-STS. ADFS "removes" them. Instead there is a &wctx which is a GUID.

And there is a cookie on the way which looks like:

MSISContextc1da81dd-46b6-4cee-b051-9c0e7a298527=xxxyyy==

where xxxyyy is Base64 encoded.

In ADFS 2.0, there was an entry in the web.config which told ADFS not to encode this information in a cookie but to send it as part of the query string - which makes for a lll-oon-nnn-ggg query string!

This entry was:

context hidden="true"
ADFS
But in ADFS 3.0 there is no actual web.config, You have to look in:

C:\Windows\ADFS

and there's a file called:

Microsoft.IdentityServer.Servicehost.exe.config

but it has no such entry.

The trick is to use PowerShell:

 Set-AdfsWebConfig -ContextCookieEnabled $False

Enjoy!