Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
How does Shibboleth guarantee that 3rd parties do noet get access to user attributes contained in SAML 2.0 assertion exchanged between IdP and SP?
Is it correct that all user attributes are encrypted when transferred from IdP to SP? Are the user attributes encrypted with a symmetric key which is also included in the assertion but encrypted with the public key of the SP?
I doubt that Shibboleth does anything to guarantee that user attributes are encrypted. Per the SAML 2.0 spec (pdf):
Message confidentiality of both SAML requests and SAML responses is OPTIONAL and depends on the environment of use.
However, SAML 2.0 does permit the use of message-level confidentiality guarantees (pdf), including XMLEnc and XMLSig (both of which Shibboleth supports) as well as custom profile or attribute types which may support other modes of message-level confidentiality.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am developing a web scraping project which requires for me to send requests to certain pages of a website. As it stands, from what I can see using my web debugger, I have to send requests to the home page of the site in order to get a response with certain cookies which I would need to access other parts of the site. This is necessary for me currently because I would have to manually add cookies from the response headers which can be a pain.
Any help would be appreciated.
You'll want to specify a cookie "jar" for your http client, which will provide a persistent cookie location that will be sent by client requests and updated based on cookie headers in the response:
https://golang.org/pkg/net/http/cookiejar/#example_New
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 4 years ago.
Improve this question
I am just leatning in crypting for my application to encrypt web.config asp.net. I have encrypted my web.config file using AES. When I run my application db got connected.
I just wan to know how sql able to read encrypted connection string?
"When the page is requested, the .NET Framework decrypts the connection string information and makes it available to your application."
https://msdn.microsoft.com/en-us/library/hh8x3tas(v=vs.100)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Scenario:
IIS ARR front-end is distributing load to n. IIS app servers running MVC 6.
Multiple domains point to the ARR
Using MS Identity authentication
All Appservers serve the same application with slight branding/content changes depending on which domain was used to access the site. We'll call each variation a "portal".
Can you verify the following assumption?
Identity auth tickets appear to work out of the box for this scenario.
Specifically, If a user logs into the site under "www.foo.com" and then hits the same site using "www.bar.com" that they will not appear to be authenticated at bar.com (even though they are technically hitting the same application, on the same or different App server).
Are there any gotchas with this?
Can you check this architectural decision?
We've linked in a MVC 6 middleware component to inspect the domain of each request to set a "portalID" variable in the HTTP context's Request object. The component just checks the domain name against a Hashtable and sets the appropriate portal ID for the request.
Variable content is rendered using partial views and the new view components. All variable content (like header image references, text, etc) is stored in a database and IMemoryCached cached and varied by portalID
When a user registers, the registration method tags the user with their PortalID (we only have one user DB for all "portals", but want to keep the users segmented).
Is this a reasonable way to implement this scenario, given the new MVC 6 framework?
Can you think of any gotchas with this implementation?
In regards to authentication, auth tickets (cookie-based authentication) are per domain so you'll have no problems with a user accessing Portal A when only logged into Portal B. You can implement so that can be authenticated across multiple sub-domains, but that's a non-default scenario and only applies to sub-domains, not to entirely different domains. In fact, prove it to yourself by logging into one of your portals and seeing the authentication ticket in your cookie collection. Then go to another domain/portal and view your cookie collection: your auth cookie won't be there (applies to any cookie).
I've implemented scenarios like this many times without issues (one app, many different "sites" with caching/differing views/etc.) albeit Forms Authentication ones, but the principal still applies.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I have an already built Asp.Net application which is using Asp.Net membership provider.
There is a client web application which has its own login. Once logged in, the user gets some links. These links are directed to the application I have developed. Currently since these are two different applications hosted in two domains, there are two time login required.
What I am trying to achieve is have SSO and not have to login when the user is already logged in the client application. I have read through and seems its possible to have this done via a STS provider like ThinkTecture IdentityServer and utlising ADFS at our end.
Is this the best approach and if yes, I couldn't find much of documentation with respect to what are the updates I need to ask from the main application team to have it SSO enabled.
That might be possible with STS Provider or ADFS. What I would suggest is to have a web application only for authentication where in when user clicks on login on main website, you can redirect to authentication application, authenticates and create a token and then redirect back to main application along with token. Later, you can call any applications along with this token and check if user has permission to access this application or not. Token contains information such as authenticated user, permission, etc. I suppose you need to create custom http module to implement this.
If all applications are under one domain, it can be achieved by cookies.
I believe the easiest way is using Azure Active Directory to do that. Here's a few articles/information about that:
http://www.dotnetcurry.com/windows-azure/1123/secure-aspnet-mvc-azure-using-active-directory-signon
http://azure.microsoft.com/en-us/documentation/videos/overview-of-single-sign-on/
I believe the best approach would be to host an Identity Provider like ADFS or ThinkTecture somewhere else and then make both the Main application and your application a relying party of this Identity Provider.
Both applications would need to be changed to support the WS-Federation protocol (which asp.net already has a HTTP module for supporting it).
Have a read of this https://msdn.microsoft.com/en-gb/library/bb498017.aspx
Then also check out this blog http://chris.59north.com/post/Configuring-an-ASPNET-site-to-use-WS-Federation
How about mimicking the SSO concept?
On click of the link provided in Party A's website generate a token
with a Timestamp.
Upload it in your DB through Services
Encrypt the token using RSA with additional parameters both agree upon
Redirect to your URL with this encrypted parameter converted to base64
Decrypt on your side and check for the token in your website and then allow to your website.
Write a logic for the token to be defunct in a specified time.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Our production BizTalk server have these many service accounts:
Enterprise Single Sign-On Service,
Enterprise Single Sign-On Administrator,
Single Sign-On affiliate User,
BizTalk Host Instance Account,
BizTalk Isolated Host Instance Account,
Rule Engine Update Service,
BAM Notification Services User,
BAM Management Web Service User,
BizTalk Base EDI service,
BizTalk Administrator,
BizTalk Server Operator User,
BizTalk Server B2B Operator User,
Domain Account for project.
I wanted to know that from the following list which all accounts to consider for password change and which one to leave and why?
All Service passwords should be changed based on your existing Password Policy. There are no specific BizTalk reasons to do anything different.
Read here: http://msdn.microsoft.com/en-us/library/aa561505.aspx
Note, you must follow the steps for the Master Secret Server or you will break the group to an unrepairable state.
Also, these accounts: BizTalk Administrator, BizTalk Server Operator User, BizTalk Server B2B Operator User, should not exist as named, rather they should be actual domain users whose Password Policy is enforced at the Domain level.
Meaning, no one should logon with a generic account named "BizTalk Administrator". A person's User Account mydomain\bgates would be a member of the BizTalk Administrators Domain Group.